Hi Hilko, On Sat, Mar 20, 2021 at 06:24:57PM +0100, Sebastian Ramacher wrote: > Control: tags -1 + moreinfo > > On 2021-03-20 15:27:28 +0100, Salvatore Bonaccorso wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian....@packages.debian.org > > Usertags: unblock > > X-Debbugs-Cc: car...@debian.org,ben...@debian.org > > > > Hi Release team > > > > [Disclaimer, not the maintainer requesting the unblock, but I'm CC'ing > > Hilko to confirm]. > > > > Please unblock package libnbd > > > > [ Reason ] > > The new upstream version uploaded libnbd/1.6.2-1 contains as fix for > > CVE-2021-20286. I was announced as > > https://listman.redhat.com/archives/libguestfs/2021-March/msg00092.html > > . An isolated fix was > > https://gitlab.com/nbdkit/libnbd/-/commit/2216190ecbbd853648df6a3280c17b345b0907a0 > > . The request is done to have bullseye without this CVE open. > > > > [ Impact ] > > Denial of service. > > > > [ Tests ] > > I have not performed tests specific to the version update 1.6.1 to > > 1.6.2. > > > > [ Risks ] > > Arguably there is a new upstream version, but the attached debdiff > > collects all the changes additionally done. > > > > Again, Hilko is CC'ed to confirm if this is safe for bullseye. > > > > [ Checklist ] > > [ ] all changes are documented in the d/changelog > > [ ] I reviewed all changes and I approve them > > [x] attach debdiff against the package in testing > > > > [ Other info ] > > It should propably have an explicit acknowledgment for the unblock > > from Hilko. > > Please remove the moreinfo tag once ACKed by Hilko.
Any input on this? Or was the version not aimed for bullseye? Regards, Salvatore
