Am Wed, Feb 21, 2024 at 04:27:25PM +0100 schrieb Moritz Muehlenhoff:
> On Wed, Feb 21, 2024 at 04:15:17PM +0100, Matthias Klumpp wrote:
> > I'd read the "unaffected at 1.2.7" as version 1.2.7 and higher not
> > having the bug... But then again, on another page it said that the
> > respective patch only lowered the impact...
> > I remember merging that patch, and it was a pretty good robustness
> > improvement, we didn't talk about any use-after-free issue there
> > though (so it's not obvious why this changes anything either).
> >
> > Let's see if we get a reply from the CVE reporter!
>
> Sounds good. If there's no further information provided I'll mark the
> entry as non actionable in the Debian security tracker and deassociate
> it from https://security-tracker.debian.org/tracker/source-package/packagekit
Half a year later still no actionable information was provided. I'll
go ahead and mark this as bogus in the Debian Security Tracker (so that
it no longer appears on the CVE page for packagekit).
As for this bug, I'd suggest we also simply close it?
Cheers,
Moritz
