Hi Salvatore, dear Release Team, Am 23.08.21 um 14:46 schrieb Salvatore Bonaccorso: > Hi Christoph, > > On Mon, Aug 23, 2021 at 01:17:18PM +0200, Christoph Martin wrote: >> Hi Salvatore, >> >> Am 19.08.21 um 21:32 schrieb Salvatore Bonaccorso: >>> Hi Christoph, >>> >>> On Tue, Aug 10, 2021 at 01:42:32PM +0200, Christoph Martin wrote: >>>> Dear Security Team, >>>> >>>> the fixed version is now in bullseye. Thanks for that. >>>> >>>> What is the plan for buster and stretch? Do you prepare fixes? >>> >>> thanks for following up on that. For buster, can you fix those issues, >>> and ideally as well CVE-2019-14857 (#942165) and CVE-2019-20479 via an >>> upcoming buster point release? >> >> Ok. I prepare that update. That would be a version 2.4.9-1~deb11u1 ? > > Depends (but then ~deb10u1). You are right. My fault. > Why i say depends: buster has currently > 2.3.10.2-1, and I'm not sure if we can be confident to bump the > version from 2.3.10.2 upstream to 2.4.9? This has to be acked by the > release team if suitable. > > If SRM agree on importing the 2.4.9 version: if it is merely a rebuild > of the bullseye package back for buster, then 2.4.9-1~deb10u1 would be > good, if it's an import of new upstream on top of the current > packaging instead I would choose 2.4.9-0+deb10u1. It would be a rebuild of the bullseye package for buster. As I commented in the fix for bullseye in Bug 991811: > The fix to CVE-2021-32791 looks quite big, so that I think it is not > safe to backport it to 2.4.4.1 like the others could be. So a backport seams not to be a good solution. I tested the bullseye package on buster and even that works without a problem in buster. > But the most important question here is if SRM agree on bumping the > version to 2.4.9. > > If feasible to cherry-pick the needed patches then this would be > 2.3.10.2-1+deb10u1. > @Release Team: What do you recommend? Christoph
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature