vpetersson
commented
4 years ago Strange.
The Debian Security Tracker does indeed say that it has been fixed in 63.1-6+deb10u1.
However, it is not being picked up.
mvip@wott-debian-buster:~$ sudo apt update
Hit:1 http://deb.debian.org/debian buster InRelease
Hit:2 http://security.debian.org/debian-security buster/updates InRelease
Hit:3 http://deb.debian.org/debian buster-updates InRelease
Hit:4 https://packagecloud.io/wott/agent/debian buster InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.$ sudo apt-get install libicu63
Reading package lists... Done
Building dependency tree
Reading state information... Done
libicu63 is already the newest version (63.1-6+deb10u1).
libicu63 set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.Also, the security repo as the CVE refers to it has been resolved in, is included:
$ grep 'security' /etc/apt/sources.list
deb http://security.debian.org/debian-security buster/updates main
deb-src http://security.debian.org/debian-security buster/updates mainLooking closer, it turns out that it was just that the agent has not submitted the data. The node has indeed been fixed. Hence this is most likely related to https://github.com/WoTTsecurity/agent/issues/286
I got an alert today for one of my Debian nodes:
However, there is no upgrade available:
I'm unsure if this is related to this issue.
Related bug: