Hi Christopher, On 02-08-2021 13:33, Christoph Martin wrote: > Please unblock package libapache2-mod-auth-openidc > > currently the version 2.4.4.1-2 of libapache2-mod-auth-openidc is in > testing/bullseye . Some days ago four CVE security bugs were published > which are fixed in version 2.4.9 . > > The fix to CVE-2021-32791 looks quite big, so that I think it is not > safe to backport it to 2.4.4.1 like the others could be. > > I uploaded the latest upstream (2.4.9) rather than try to > backport the fixes to 2.4.4.
It's *very* late in the freeze so I need an answer *real soon*. You didn't tell us how you tested the package, how upstream tested the changes and how you *judge* the changes between bullseye and sid. I can't estimate the risk by myself. Paul
OpenPGP_signature
Description: OpenPGP digital signature
