# wontfix unless fixed usptream in 6.1.y series Control: tags -1 + wontfix
Hi Hideki On Wed, Apr 16, 2025 at 07:38:54AM +0900, Hideki Yamane wrote: > Source: linux > Version: 6.1.133-1 > Severity: normal > X-Debbugs-Cc: henr...@debian.org > > Dear Maintainers, > > I've investigated CVE-2024-38541 since I'm running Debian 12 instances > on AWS and Amazon Inspector alerts it is critical vuln. > > It seems that it is easily applied to 6.1 branch with some modification > as attached patch. I've already sent it to original author and reviewer > but not get any reply, so I'm maybe wrong... Can you elaborate why you think the AWS and Amazon Inspector are correct and it is a critical vunrablity? Context: https://www.debian.org/security/faq#cve-severity-assessment The last time we got the very same question on the security team for CVE-2024-38541: | On Mon, Mar 31, 2025 at 01:13:59PM -0700, [...] wrote: | > Hi, | > | > I am wondering if the following CVE's fixed in trixie/sid will be | > backported to bullseye and bookworm? | > | > https://security-tracker.debian.org/tracker/CVE-2024-38541 | > https://security-tracker.debian.org/tracker/CVE-2024-38564 | > https://security-tracker.debian.org/tracker/CVE-2024-50061 | | CVE-2024-50061 is already fixed in the latest Bookworm point release. | | For the other two, if you want to see them fixed, you can work | with the maintainers of the 6.1.x LTS kernel tree to accept a | backport: | https://github.com/torvalds/linux/blob/master/Documentation/process/stable-kernel-rules.rst | | The subsequent Debian update will then pick up the fix since we follow | the 6.1.x series. The reason you do not ge a reply might be related to a change in upstream linux done around 18th October 2024. Regards, Salvatore
