Hi Andreas, [looping in my security team mates alias to get a second pair of eyes]
On Sat, Feb 15, 2025 at 12:27:43PM +0000, Andreas Henriksson wrote: > Hello Salvatore, > > On Sat, Dec 14, 2024 at 03:18:16PM +0100, Salvatore Bonaccorso wrote: > > Source: djoser > > Version: 2.1.0-1 > > Severity: grave > > Tags: security upstream > > Forwarded: https://github.com/sunscrapers/djoser/issues/795 > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > <t...@security.debian.org> > > > > Hi, > [...] > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2024-21543 > > https://www.cve.org/CVERecord?id=CVE-2024-21543 > > [1] https://github.com/sunscrapers/djoser/issues/795 > > [2] > > https://github.com/sunscrapers/djoser/commit/d33c3993c0c735f23cbedc60fa59fce69354f19d > > djoser appeared in dla-needed.txt and I figured I could take it on as my > first attempt at helping out.... I see that it still needs fixing > in both stable (bookworm) and oldstable (bullseye) - which both have the > same version. So I figured I'd tackle both. > (oldoldstable is not affected.) > > I've prepared updates in git at: > https://salsa.debian.org/python-team/packages/djoser/-/commits/debian/bookworm > https://salsa.debian.org/python-team/packages/djoser/-/commits/debian/bullseye > > According to the lts documentation I've been looking at, next step is to > just upload the bullseye update.... however it feels more natural for > me to have it fixed in [unstable (& testing)] > stable > oldstable > ... > and according to instructions I should get a security team ACK before > uploading to bookworm-security, but I haven't been able to find out > exctly where to request that ack. > > Do you think you could give me the ack (or instruct me where to go from > here)? > > > If I may also ask: > > Maybe djoser is not important enough to warrant a bookworm-security > upload? (But then, is it important enough for a DLA and if not then why > it it in dla-needed.txt?) > > If I upload one of the uploads to security queue with -sa (orig source > included), should the other upload be without full sources or also with? In my opinion at this point in time, a fix for djoser can safely go via the next bookworm point release and does not need a dedicated DSA. Can you prepare an update for bookworm to go via the next point release? Documentation is at: https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions If I do not hear objections from my team-mates at security team I will mark it as no-dsa for bookworm. I cannot speak authoritatively for bullseye/LTS, but as there are no point releases a DLA might still be warranted. Regards, Salvatore
