On Tue, Feb 20, 2024 at 10:11:35PM +0100, Matthias Klumpp wrote: > The CVE page lists that commit as "patch" now, and given that emitting > a finished transaction as finished multiple times could indeed cause > issues (and use-after-free issues potentially as well), I am inclined > to think that that's indeed the issue here and that the patch fixes > it.
Ok. > That would mean though that all PK versions starting from and > including 1.2.7 are not vulnerable... But the CVE tells otherwise. > Very odd. But https://www.cve.org/CVERecord?id=CVE-2024-0217 only states "unaffected at 1.2.7", which seems to be based on the git tag of the referenced commit? Cheers, Moritz
