Hi Christoph, On Mon, Aug 23, 2021 at 01:17:18PM +0200, Christoph Martin wrote: > Hi Salvatore, > > Am 19.08.21 um 21:32 schrieb Salvatore Bonaccorso: > > Hi Christoph, > > > > On Tue, Aug 10, 2021 at 01:42:32PM +0200, Christoph Martin wrote: > >> Dear Security Team, > >> > >> the fixed version is now in bullseye. Thanks for that. > >> > >> What is the plan for buster and stretch? Do you prepare fixes? > > > > thanks for following up on that. For buster, can you fix those issues, > > and ideally as well CVE-2019-14857 (#942165) and CVE-2019-20479 via an > > upcoming buster point release? > > Ok. I prepare that update. That would be a version 2.4.9-1~deb11u1 ?
Depends (but then ~deb10u1). Why i say depends: buster has currently 2.3.10.2-1, and I'm not sure if we can be confident to bump the version from 2.3.10.2 upstream to 2.4.9? This has to be acked by the release team if suitable. If SRM agree on importing the 2.4.9 version: if it is merely a rebuild of the bullseye package back for buster, then 2.4.9-1~deb10u1 would be good, if it's an import of new upstream on top of the current packaging instead I would choose 2.4.9-0+deb10u1. But the most important question here is if SRM agree on bumping the version to 2.4.9. If feasible to cherry-pick the needed patches then this would be 2.3.10.2-1+deb10u1. Does this help? Regards, Salvatore
