Hi Alexander, On Tue, Dec 22, 2020 at 07:57:15PM +0300, Alexander Gerasiov wrote: > On Sun, 20 Dec 2020 11:50:42 +0200 > Adrian Bunk <[email protected]> wrote: > > this is a regression in 1.2.1+dfsg-2 that is currently in both > > buster-security (which was done on top of 1.2.1+dfsg-2 that > > introduced the regression, not on top of 1.2.1+dfsg-1 in buster) and > > in unstable/testing (which currently misses the CVE fixes). > > > > It would be good if you could make an upload to unstable with this > > bug fixed on top of 1.2.1+dfsg-2+deb10u1, and then backport that > > change to buster. > > > > Please coordinate with the security team whether this would warrant a > > regression update to the DSA or should be done through the next point > > release. > > Hi, Team. > > Does anyone mind against uploading fix to stable-proposed-update? > The fix is here: > https://salsa.debian.org/debian/minidlna/-/commits/buster-security/ > Or should it go to buster-security?
Fixing it via buster-proposed-updates in the next point release works. As regression from the last DSA, given we all have not spotted it was based on the testing version, I think we can as well release it via a regression update via buster-security. This will be only an issue if someone decides to purge the package in stable. The other issue: As the update was based on -2 rather than -1 it contains several more (packaging) changes as well and wonder if current stable users might have any issue with those (I suspect not because systemd service addition is probably ok, the move of logdiretory might be though suprising in a stable update and the fix for #941410 is probably just a benefit). Do you anticipate any problems which would arise from this that we did release it on top of the "wrong" version? Regards, Salvatore
