Hi Hilko, On Thu, Mar 25, 2021 at 10:04:46PM +0100, Salvatore Bonaccorso wrote: > Hi Hilko, > > On Sat, Mar 20, 2021 at 06:24:57PM +0100, Sebastian Ramacher wrote: > > Control: tags -1 + moreinfo > > > > On 2021-03-20 15:27:28 +0100, Salvatore Bonaccorso wrote: > > > Package: release.debian.org > > > Severity: normal > > > User: release.debian....@packages.debian.org > > > Usertags: unblock > > > X-Debbugs-Cc: car...@debian.org,ben...@debian.org > > > > > > Hi Release team > > > > > > [Disclaimer, not the maintainer requesting the unblock, but I'm CC'ing > > > Hilko to confirm]. > > > > > > Please unblock package libnbd > > > > > > [ Reason ] > > > The new upstream version uploaded libnbd/1.6.2-1 contains as fix for > > > CVE-2021-20286. I was announced as > > > https://listman.redhat.com/archives/libguestfs/2021-March/msg00092.html > > > . An isolated fix was > > > https://gitlab.com/nbdkit/libnbd/-/commit/2216190ecbbd853648df6a3280c17b345b0907a0 > > > . The request is done to have bullseye without this CVE open. > > > > > > [ Impact ] > > > Denial of service. > > > > > > [ Tests ] > > > I have not performed tests specific to the version update 1.6.1 to > > > 1.6.2. > > > > > > [ Risks ] > > > Arguably there is a new upstream version, but the attached debdiff > > > collects all the changes additionally done. > > > > > > Again, Hilko is CC'ed to confirm if this is safe for bullseye. > > > > > > [ Checklist ] > > > [ ] all changes are documented in the d/changelog > > > [ ] I reviewed all changes and I approve them > > > [x] attach debdiff against the package in testing > > > > > > [ Other info ] > > > It should propably have an explicit acknowledgment for the unblock > > > from Hilko. > > > > Please remove the moreinfo tag once ACKed by Hilko. > > Any input on this? Or was the version not aimed for bullseye?
Friendly ping. Di you got my email? Now there was a new upstream version uploaded to unstable, so this is going to be a bigger diff. Regards, Salvatore
