Hi, After fixing CVE-2025-27773 (#1100595) for LTS I was taking a look to tackle unstable as well (as step toward fixing stable9. While doing this I noticed that the changelog entry for 1.19.7-1+deb12u1 only mentions CVE-2024-52596 but not CVE-2024-52806, and there is also only a patch named CVE-2024-52596 [1] but no sign of a fix for CVE-2024- 52806, so I believe the latter has not been fixed with 1.19.7-1+deb12u1, despite security tracker saying so.
Possibly I've missed something, so I'd appreciate if someone could verify my findings. [1] the patch content matches the upstream patch mentioned in the security tracker, Cheers, tobi On Mon, 02 Dec 2024 19:23:08 +0100 Salvatore Bonaccorso <car...@debian.org> wrote: > Source: simplesamlphp > Version: 1.19.7-1 > Severity: grave > Tags: security upstream > Justification: user security hole > X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> > Control: fixed -1 1.19.7-1+deb12u1 > > Hi Thijs, > > The following vulnerability was published for simplesamlphp. > > This bug is just to reflect that the CVE is fixed in bookworm already > but not yet in the upper suite. I'm aware of #1088816 which is to make > sure that not 1.19 is shipped with trixie. > > CVE-2024-52596[0]: > | SimpleSAMLphp xml-common is a common classes for handling XML- > | structures. When loading an (untrusted) XML document, for example > | the SAMLResponse, it's possible to induce an XXE. This vulnerability > | is fixed in 1.19.0. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2024-52596 > https://www.cve.org/CVERecord?id=CVE-2024-52596 > > Regards, > Salvatore > >
signature.asc
Description: This is a digitally signed message part
