Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
HI Paul,
On Fri, Aug 06, 2021 at 08:40:24AM +0200, Paul Gevers wrote:
> Hi Christopher,
>
> On 02-08-2021 13:33, Christoph Martin wrote:
> > Please unblock package libapache2-mod-auth-openidc
> >
> > currently the version 2.4.4.1-2 of libapache2-mod-auth-openidc is in
> > testing/bullseye . Some days ago four CVE security bugs were published
> > which are fixed in version 2.4.9 .
> >
> > The fix to CVE-2021-32791 looks quite big, so that I think it is not
> > safe to backport it to 2.4.4.1 like the others could be.
> >
> > I uploaded the latest upstream (2.4.9) rather than try to
> > backport the fixes to 2.4.4.
>
> It's *very* late in the freeze so I need an answer *real soon*. You
> didn't tell us how you tested the package, how upstream tested the
> changes and how you *judge* the changes between bullseye and sid. I
> can't estimate the risk by myself.
>From security team perspective, we could tend to confirm to be good
option to actually go to 2.4.9 based version, if Christoph can confirm
the above questions on testing. Was it tested in production
environment as well?
Regards,
Salvatore
Reply to: