[Git][reproducible-builds/diffoscope][master] Expand an older changelog entry with CVE reference.

Chris Lamb (@lamby) gitlab at salsa.debian.org
Sun Feb 11 20:31:36 UTC 2024 


Chris Lamb pushed to branch master at Reproducible Builds / diffoscope


Commits:
86645633 by Chris Lamb at 2024-02-11T12:31:16-08:00
Expand an older changelog entry with CVE reference.

- - - - -


1 changed file:

- debian/changelog


Changes:

=====================================
debian/changelog
=====================================
@@ -6,13 +6,18 @@ diffoscope (257) UNRELEASED; urgency=medium
 
 diffoscope (256) unstable; urgency=high
 
-  * Use a determistic name when extracting content from GPG artifacts instead
-    of trusting the value of gpg's --use-embedded-filenames. This prevents a
-    potential information disclosure vulnerability that could have been
-    exploited by providing a specially-crafted GPG file with an embedded
-    filename of, say, "../../.ssh/id_rsa". Many thanks to Daniel Kahn Gillmor
-    <dkg at debian.org> for reporting this issue and providing feedback.
+  * CVE-2024-25711: Use a determistic name when extracting content from GPG
+    artifacts instead of trusting the value of gpg's --use-embedded-filenames.
+
+    This prevents a potential information disclosure vulnerability that could
+    have been exploited by providing a specially-crafted GPG file with an
+    embedded filename of, say, "../../.ssh/id_rsa".
+
+    Many thanks to Daniel Kahn Gillmor <dkg at debian.org> for reporting this
+    issue and providing feedback.
+
     (Closes: reproducible-builds/diffoscope#361)
+
   * Temporarily fix support for Python 3.11.8 re. a potential regression
     with the handling of ZIP files. (See reproducible-builds/diffoscope#362)
 



View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/8664563356cdb733c48f15e29a3d4e13e9a91fe2

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/8664563356cdb733c48f15e29a3d4e13e9a91fe2
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20240211/25b54173/attachment.htm>

More information about the rb-commits mailing list