Bug#1034039: bullseye-pu: package libpod/3.0.1+dfsg1-3+deb11u1
On Thu, 2023-04-06 at 19:46 -0400, Reinhard Tartler wrote:
> This code change picks up code changes in golang-github-containers-
> psgo
> and golang-github-containers-storage to fix CVE-2022-1227. This is
> reported
> as 1020907. This addresses a priviledge escalation issue when using
> 'podman top'. Upstream has more information in this issue in
> https://bugzilla.redhat.com/show_bug.cgi?id=2070368
>
I see this has already been uploaded; unfortunately:
- ,golang-github-containers-psgo-dev
- ,golang-github-containers-storage-dev (>= 1.24.6)
+ ,golang-github-containers-psgo-dev (>= 1.5.2-1+deb11u1)
+ ,golang-github-containers-storage-dev (>= 1.24.6+dfsg1-1+deb11u1)
The updated golang-github-containers-storage-dev version there isn't
actually sufficient to ensure that the fixed version is picked up - you
want 1.24.*8*+dfsg1-1+deb11u1.
At this point, either I can reject the current upload, and you can then
re-upload a fixed +deb11u1 or (possibly easier all around) you can
upload +deb11u2 as an incremental change on top of +deb11u1 which
simply fixes the dependency version.
Regards,
Adam
Reply to: