Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id E2108226D41 for <~alpine/users@lists.alpinelinux.org>; Tue, 22 Oct 2024 14:40:46 +0000 (UTC) Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 8560F240101 for <~alpine/users@lists.alpinelinux.org>; Tue, 22 Oct 2024 16:40:45 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1729608045; bh=Yio4WVN+RNZ7CxY30qZnqWQlbERxQO3Lo1Ssg3xvWNk=; h=Mime-Version:Content-Transfer-Encoding:Content-Type:Date: Message-Id:Subject:From:To:From; b=e/kUmlXaEMfE66l8GSVNxVaHqbj+eSVhbWUoC3fpn/f1U/5IJE/w9YUWDRwy980CQ GF2hv2yxnsQeQuDdGmgz4mIkR5gZXKulU/9uZQfwR1Kfw6/qjIeYlSfVw7FaotFyUG fsyfLnpj+oLBG+DforwzGSO3E0o67zzTn61G6W8RrUf0Y0gRrfl8oSktOm7kdZpxPj kOW8Kpacog/AG8YbiWQ+FVXL0z4Ywuw2/Dx+O/9ClScsVs++sxQ5BcuEU5JDO/Wrsf BUJGBj+YfyKvkhKJDW5MyFZKMyqD1YFp/JD9BgnfqRic1EXsUdmHZGXqV+oNBBUeUY aeYtM9DT4JBPw== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4XXvx84HcTz9rxD; Tue, 22 Oct 2024 16:40:44 +0200 (CEST) Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Tue, 22 Oct 2024 14:40:44 +0000 Message-Id: Subject: Re: Inquiry Regarding Resolution Timeline for CVE-2022-38725 in "syslog-ng" Package From: "Sertonix" To: "Siddharth Srivastava" , "~alpine/users@lists.alpinelinux.org" <~alpine/users@lists.alpinelinux.org> References: In-Reply-To: <> > Dear Alpine Security Team, > Writing to inquire about the status of CVE-2022-38725, which affects the > "syslog-ng" package in the 3.20-main branch. According to the Alpine > Security Tracker, this CVE remains unresolved, and we are seeing it > flagged in the latest images we are using. Could you please provide an > update on when this vulnerability is expected to be resolved or if there > are any planned fixes? T The description of CVE-2022-38725 states that it effects syslog-ng version 3.0 through 3.37 but alpine doesn't ship these versions anymore. I opened a MR to mark the CVE as fixed: https://gitlab.alpinelinux.org/alpi= ne/aports/-/merge_requests/73944 > Thank you. > Best regards, > Siddharth Srivastava