On Wed, Aug 12, 2020 at 08:55:43AM +1000, Brian May wrote: > I am seriously thinking that slirp from unstable should be ported as is > from sid to buster and stretch. This is not a new upstream version, it > has bug fixes and security updates only. Probably the same changes I > would have to make myself in fact. Such as replacing sprintf calls with > snprintf calls for example. > > This would fix CVE-2020-7039 and provide the prerequisite to fixing > CVE-2020-8608. > > Only thing, I am not sure what to do with the versioning: > > stretch 1:1.0.17-8 > buster 1:1.0.17-8 > sid 1:1.0.17-10 > > In fact, because stretch and buster has the same version, does this mean > I can't make any security uploads to stretch? > > On the other hand the security team has marked both these as no-DSA, in > buster meaning maybe I should do the same thing too?
I would ask the Security Team if they are open to considering taking 1:1.0.17-10 into buster. The version would be 1:1.0.17-10~deb10u1. If they agree, then you could subsequently upload to stretch with version 1:1.0.17-10~deb9u1. If they are not open to considering it, then it seems that the only viable course of action is the mark them no-dsa. Regards, -Roberto -- Roberto C. Sánchez
