On Sun, 12 Nov 2023 at 14:58:42 +0000, Adam D Barratt wrote:
> Package: glib2.0
> Version: 2.66.8-1+deb11u1
>
> Explanation: align with upstream stable fixes; fix denial of service issues
> [CVE-2023-32665 CVE-2023-32611 CVE-2023-29499 CVE-2023-32636]; fix buffer
> overflow issue [CVE-2023-32643]
If you're able to adjust the release notes between now and the 11.9
point release, you might want to change this wording so it just mentions
the DoS issues and other stable-branch fixes, but excludes the buffer
overflow issue CVE-2023-32643 from the description of this update.
CVE-2023-32643 was a regression caused by errors in the initial fixes
for the DoS issues. It was important that we avoided introducing it
into Debian 11, but Debian 11.8 is not vulnerable (too old), and after
accepting 2.66.8-1+deb11u1, to the best of my knowledge Debian 11.9 will
not be vulnerable either (too new).
(For the record: I think 2.74.3-1 in unstable was briefly vulnerable to
CVE-2023-32643, but that version never migrated to testing, and a fix was
included in the next upload 2.74.4-1; so testing was never vulnerable,
and therefore neither was Debian 12.0.)
Thanks,
smcv
