Autore: wirelessduck Data: To: Mark Hindley CC: dng Oggetto: Re: [DNG] Openvpn CVE fix in devuan chimaera
> On 25 Jul 2022, at 01:51, Mark Hindley <mark@???> wrote:
> On Sun, Jul 24, 2022 at 04:19:39PM +0100, Mark Hindley wrote:
>> Hi,
>>
>> On Mon, Jul 25, 2022 at 12:46:09AM +1000, wirelessduck--- via Dng wrote:
>>> I saw https://bugs.debian.org/1008015 on the Debian BTS which mentions
>>> it was found in openvpn/2.5.1-3, openvpn/2.5.5-1 and fixed in
>>> openvpn/2.5.6-1.
>>> Devuan chimaera still has openvpn/2.5.1-3+devuan1. Debian bullseye is
>>> also still showing openvpn/2.5.1-3 on packages.debian.org/openvpn.
>>> How can I check to see if this patch has been applied to the devuan
>>> package?
>>
>> It hasn't, because it hasn't been backported, only fixed upstream in 2.5.6 and 2.4.12.
>> It might be possible to do, but is considered a low-priority in Debian[1] and
>> doesn't have a DSA.
>
> I have just had a quick look and the commit seems to backport easily. New
> version for chimaera-security is en route.
>
> Mark
Thanks for the quick update! Apologies for not noticing this before I sent the previous message.
I’ll see if I can request the same fix in Debian bullseye so we don’t need to keep the extra patch in Devuan.