Bug#1063484: libuv1: CVE-2024-24806

2024-03-10 Thread Salvatore Bonaccorso
Hi Dominique, On Thu, Mar 07, 2024 at 08:58:11AM +0100, Dominique Dumont wrote: > On Wednesday, 6 March 2024 21:07:56 CET Salvatore Bonaccorso wrote: > > Thank you very much. Looks good to me, feel free to upload as well to > > security-master (and build as well with -sa). > > Done. DSA 5638-1 h

Bug#1063484: libuv1: CVE-2024-24806

2024-03-07 Thread Dominique Dumont
On Wednesday, 6 March 2024 21:07:56 CET Salvatore Bonaccorso wrote: > Thank you very much. Looks good to me, feel free to upload as well to > security-master (and build as well with -sa). Done. All the best

Bug#1063484: libuv1: CVE-2024-24806

2024-03-06 Thread Salvatore Bonaccorso
Hi On Wed, Mar 06, 2024 at 07:06:55PM +0100, Dominique Dumont wrote: > On Tuesday, 5 March 2024 22:15:50 CET Salvatore Bonaccorso wrote: > > The debdiff for bookworm-security looks good to me. Please do upload > > to security-master (and make sure to build with -sa as the orig > > tarball is not y

Bug#1063484: libuv1: CVE-2024-24806

2024-03-05 Thread Salvatore Bonaccorso
Hi Dominique, On Sun, Mar 03, 2024 at 03:51:28PM +0100, Dominique Dumont wrote: > On Thu, 29 Feb 2024 21:53:07 +0100 Salvatore Bonaccorso > wrote: > > libuv1 is as well affected in bullseye and it's still supported. Can > > you have a look as well at this version? > > The same patch (with a re

Bug#1063484: libuv1: CVE-2024-24806

2024-03-03 Thread Dominique Dumont
On Thu, 29 Feb 2024 21:53:07 +0100 Salvatore Bonaccorso wrote: > libuv1 is as well affected in bullseye and it's still supported. Can > you have a look as well at this version? The same patch (with a refresh) applies to bullseye. I can also prepare an upload. All the best

Bug#1063484: libuv1: CVE-2024-24806

2024-02-29 Thread Salvatore Bonaccorso
Hi Dominique, [Adding CC to team@s.d.o] On Tue, Feb 20, 2024 at 07:08:48PM +0100, Dominique Dumont wrote: > Hi > > On Wed, 14 Feb 2024 12:57:52 +0100 Dominique Dumont wrote: > > I'm still pondering what should be done for stable which ships a libuv > 1.44.2 > > I've prepared a fix for bookwor

Bug#1063484: libuv1: CVE-2024-24806

2024-02-14 Thread Dominique Dumont
On Thu, 08 Feb 2024 20:51:30 +0100 Salvatore Bonaccorso wrote: > Note, that the advisory at [1] mentions that affected versions are > only > 1.45.x. Looking at the git changes, is it not introduced after > 6dd44caa35b4 ("unix,win: support IDNA 2008 in uv_getaddrinfo()") in > v1.24.0? The advisor

Bug#1063484: libuv1: CVE-2024-24806

2024-02-08 Thread Salvatore Bonaccorso
Source: libuv1 Version: 1.46.0-3 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for libuv1. CVE-2024-24806[0]: | libuv is a multi-platform support library with a focus on | asynchronous I/O. The `uv_get