On 12/08/2020 01:04, Roberto C. Sánchez wrote: > On Wed, Aug 12, 2020 at 08:55:43AM +1000, Brian May wrote: >> I am seriously thinking that slirp from unstable should be ported as is >> from sid to buster and stretch. This is not a new upstream version, it >> has bug fixes and security updates only. Probably the same changes I >> would have to make myself in fact. Such as replacing sprintf calls with >> snprintf calls for example. >> >> This would fix CVE-2020-7039 and provide the prerequisite to fixing >> CVE-2020-8608. >> >> Only thing, I am not sure what to do with the versioning: >> >> stretch 1:1.0.17-8 >> buster 1:1.0.17-8 >> sid 1:1.0.17-10 >> >> In fact, because stretch and buster has the same version, does this mean >> I can't make any security uploads to stretch? >> >> On the other hand the security team has marked both these as no-DSA, in >> buster meaning maybe I should do the same thing too? > > I would ask the Security Team if they are open to considering taking > 1:1.0.17-10 into buster. The version would be 1:1.0.17-10~deb10u1. If > they agree, then you could subsequently upload to stretch with version > 1:1.0.17-10~deb9u1. If they are not open to considering it, then it > seems that the only viable course of action is the mark them no-dsa.
Even if it's no-dsa, it can still be updated in buster via stable-proposed-updates. Cheers, Emilio
