Hi On Sat, May 10, 2025 at 08:48:56AM +0200, Tobias Frost wrote: > Hi, > > After fixing CVE-2025-27773 (#1100595) for LTS I was taking a look > to tackle unstable as well (as step toward fixing stable9. > While doing this I noticed that the changelog entry for 1.19.7-1+deb12u1 > only mentions CVE-2024-52596 but not CVE-2024-52806, and there is also > only a patch named CVE-2024-52596 [1] but no sign of a fix for CVE-2024- > 52806, so I believe the latter has not been fixed with 1.19.7-1+deb12u1, > despite security tracker saying so. > > Possibly I've missed something, so I'd appreciate if someone could > verify my findings. > > [1] the patch content matches the upstream patch mentioned in the > security tracker,
I believe it is all correct. Back then when Thijs prepared the update only one CVE was known, and in fact the patch name was named with the wrong CVE id. The followup to the tracker explained that: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13291705050fb81832690a56cbbd84345996f691 I.e. CVE-2024-52806 is fixed by https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7 and for CVE-2024-52724 the "fix" is actually https://github.com/simplesamlphp/xml-common/commit/fa4ade391c3194466acf5fbfd5d2ecdbf5e831f5 but considered sufficiently fixed with the dropping of LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options as explained in the notes. I asked this back in December 2024 to Thijs. I.e. do not change the state for the entries for what was fixed with Thijs' DSA. Regards, Salvatore
