Hi Noah, On Fri, Sep 26, 2025 at 11:24:13PM +0200, Salvatore Bonaccorso wrote: > Hi Noah, > > On Wed, Sep 24, 2025 at 09:29:27AM -0400, Noah Meyerhans wrote: > > On Tue, Sep 23, 2025 at 10:53:08PM +0200, Salvatore Bonaccorso wrote: > > > > > > I've published a trixie build based on the just uploaded > > > > > > 1:2.4.1+dfsg1-7. You can install it from my people.debian.org > > > > > > repository. See https://people.debian.org/~noahm/repo/ for > > > > > > details, and > > > > > > use the following sources file: > > > > > > > > > > > > Types: deb deb-src > > > > > > URIs: https://people.debian.org/~noahm/repo > > > > > > Suites: trixie-backports > > > > > > Components: main > > > > > > Signed-By: /etc/apt/noahm.gpg > > > > > > > > > > > > Let me know if this resolves the issue. Similar packages will > > > > > > likely > > > > > > ship in a forthcoming trixie point release. > > > > > > > > > > Shouldn't these be shipped through stable-security? > > > > > > > > > > > > > Possibly. Let's see what the security team thinks. Multiple people > > > > have encountered this issue since the trixie release, and the impact is > > > > a significant breach of privacy. It doesn't impact the default > > > > configuration, but it only takes uncommenting and adjusting one line to > > > > trigger it. > > > > > > > > Since we just released 13.1, there won't be another trixie point release > > > > for a few months, which argues in favor of a DSA IMO. > > > > > > As the next point release is on 15 November only and given the impact, > > > yes tend to agree to release a DSA for this issue. Can you prepare the > > > trixie-security debdiff? > > > > See attached. The diffstat is > > changelog | 8 > > ++ > > patches/auth__Use_AUTH_CACHE_KEY_USER_instead_of_per-database.patch | 124 > > ++++++++++++++++++++++++++++++++++++++++++ > > patches/series | 1 > > 3 files changed, 133 insertions(+) > > > > Note that there's no CVE referenced in the changelog, as we don't seem > > to have one for this issue yet. > > I will try to have a look at this over the weekend and come back to > you.
Looks, good please upload to security-master (needs to be built with -sa). Regards, Salvatore
