Hi, On Tue, May 10, 2022 at 09:29:52PM +0200, Salvatore Bonaccorso wrote: > Source: cifs-utils > Version: 2:6.8-2 > Severity: grave > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > Control: found -1 2:6.11-3.1 > Control: found -1 2:6.14-1 > > Hi, > > The following vulnerabilities were published for cifs-utils. > > CVE-2022-27239[0]: > | In cifs-utils through 6.14, a stack-based buffer overflow when parsing > | the mount.cifs ip= command-line argument could lead to local attackers > | gaining root privileges. > > > CVE-2022-29869[1]: > | cifs-utils through 6.14, with verbose logging, can cause an > | information leak when a file contains = (equal sign) characters but is > | not a valid credentials file. > > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2022-27239 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27239 > [1] https://security-tracker.debian.org/tracker/CVE-2022-29869 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29869
Working on the buster- and bullseye-security updates and can propose as well a NMU for unstable if needed. Regards, Salvatore
