Hi Moritz, On Wed, May 07, 2025 at 02:46:04PM +0200, Moritz Schlarb wrote: > Dear LTS Team. > > On Wed, 2025-05-07 at 10:59 +0000, Moritz Mühlenhoff wrote: > > > > > > So RedHat has provided more information and we know it's fixed by > > > https://github.com/OpenIDC/mod_auth_openidc/commit/29ea79dea97cdab1b0d150af2c9a50a442e7216e > > > and as you are already aware as well upstream has created > > > https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-x7cf-8wgv-5j86 > > > > Let's also fix that one via a DSA. Moritz, could you please prepare an > > update > > for > > bookworm-security? > > I have also prepared a fixed version for Bullseye (see attached debdiff), but > now I have a workflow question: > The package/issue is not yet claimed in dla-needed.txt and [1] insists that > this should be done before all else by front desk. If that is true, somebody > please do so, otherwise, I assume I could then go ahead with uploading the > package and claiming and issuing the DLA, right? > Ordinarily this is the case. The purpose is to ensure that we minimize the possibility of unnecessary and/or duplicate work. However, since you have already preapred the update and are ready to upload and issue the DLA, there isn't much of a need to first list the package in dla-needed.txt.
So, in this case, don't worry about having the package show up in dla-needed.txt first. You are free to upload and issue the DLA. Regards, -Roberto -- Roberto C. Sánchez
