I just noticed that someone imported Kubernetes. Ugh. The most recent security issues for it posted on oss-security are: https://www.openwall.com/lists/oss-security/2021/04/14/1 https://www.openwall.com/lists/oss-security/2021/05/04/8 https://www.openwall.com/lists/oss-security/2021/05/11/1 https://www.openwall.com/lists/oss-security/2021/05/18/4 https://www.openwall.com/lists/oss-security/2021/07/14/1 The maintainer needs to watch out for these and see that they get fixed if we're going to keep this package.
Someone = Bruno! [most recently] Thu Mar 25 2021 bcornec : Import kubernetes and subsequently.
Assignee: bugsquad => bruno
Status: NEW => ASSIGNED
More: https://www.openwall.com/lists/oss-security/2021/09/16/1 https://www.openwall.com/lists/oss-security/2021/09/16/2
1.22.2 on its way to cauldron which is fixing all bu tthe last one which has no fix yet.
Another one: https://www.openwall.com/lists/oss-security/2021/10/21/3
(In reply to David Walser from comment #4) > Another one: > https://www.openwall.com/lists/oss-security/2021/10/21/3 Seems that one can be mitigated by config which is not in our hands directly no ?
Looks like it, yeah. I guess upstream will have to add something about it to their documentation for the affected feature. The "fix" will probably end up being a documentation enhancement.
1.24.4 is now in cauldron, so think this one is not relevant anymore.
Resolution: (none) => WONTFIXStatus: ASSIGNED => RESOLVED
https://www.openwall.com/lists/oss-security/2022/09/15/2 (you can just mark this FIXED when you update it again)
Status: RESOLVED => REOPENEDResolution: WONTFIX => (none)
1.25.1 pushed to cauldron fixing that issue.
Status: REOPENED => RESOLVEDResolution: (none) => FIXED
https://www.openwall.com/lists/oss-security/2022/11/10/3 https://www.openwall.com/lists/oss-security/2022/11/10/4 Fixed in 1.25.4.
Status: RESOLVED => REOPENEDResolution: FIXED => (none)
1.25.4 pushed to cauldron
1.25.4 is fixing the reported issue
Resolution: (none) => FIXEDStatus: REOPENED => RESOLVED
https://www.openwall.com/lists/oss-security/2023/06/21/11 Fixed in 1.26.2.
Resolution: FIXED => (none)Status: RESOLVED => REOPENED
1.27.3 pushed to cauldron updates_testing
I think we should not set fixed until moved to release. (or, later scenario, updates) - so it is not forgotten left in testing :)
CC: (none) => friResolution: FIXED => (none)Status: RESOLVED => REOPENED
I asked for the move this morning. Let's see. However, I don't understand why there is only 1 single BR for kubernetes as each time, these are different CVEs. Would make more sense for me to have a single BR per CVE in the future. Else, this BR will continue to be opened/closed at vitam aeternam :-(
Because it's a Cauldron-only package. Once it's in a stable release and needs to go through QA, it'll get new bug reports.
https://www.openwall.com/lists/oss-security/2023/07/06/2 https://www.openwall.com/lists/oss-security/2023/07/06/3 These issues were fixed in 1.27.3, which was already moved to core/release.