Control: tags -1 + moreinfo On Mon, 2021-08-23 at 14:46 +0200, Salvatore Bonaccorso wrote: > Hi Christoph, > > On Mon, Aug 23, 2021 at 01:17:18PM +0200, Christoph Martin wrote: > > Hi Salvatore, > > > > Am 19.08.21 um 21:32 schrieb Salvatore Bonaccorso: > > > Hi Christoph, > > > > > > On Tue, Aug 10, 2021 at 01:42:32PM +0200, Christoph Martin wrote: > > > > Dear Security Team, > > > > > > > > the fixed version is now in bullseye. Thanks for that. > > > > > > > > What is the plan for buster and stretch? Do you prepare fixes? > > > > > > thanks for following up on that. For buster, can you fix those > > > issues, > > > and ideally as well CVE-2019-14857 (#942165) and CVE-2019-20479 > > > via an > > > upcoming buster point release? > > > > Ok. I prepare that update. That would be a version 2.4.9-1~deb11u1 > > ? > > Depends (but then ~deb10u1). Why i say depends: buster has currently > 2.3.10.2-1, and I'm not sure if we can be confident to bump the > version from 2.3.10.2 upstream to 2.4.9? This has to be acked by the > release team if suitable. > > If SRM agree on importing the 2.4.9 version: if it is merely a > rebuild > of the bullseye package back for buster, then 2.4.9-1~deb10u1 would > be > good, if it's an import of new upstream on top of the current > packaging instead I would choose 2.4.9-0+deb10u1. > > But the most important question here is if SRM agree on bumping the > version to 2.4.9.
We'd really need to see what that looks like first. Regards, Adam
