Your message dated Sat, 18 Dec 2021 11:36:17 +0000 with message-id <f35b13da0620aab462a587a3d6f06f29a527c6c9.ca...@adam-barratt.org.uk> and subject line Closing p-u requests for changes included in 11.2 has caused the Debian Bug report #995494, regarding bullseye-pu: package vim/2:8.2.2434-3+deb11u1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 995494: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995494 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: t...@security.debian.org [ Reason ] * Vim has some recent "no DSA" CVEs which, although unlikely to hit, would be good to fix (#994497, #994498, #994076) * In the buster -> bullseye upgrade, vim-gtk becomes a transitional package, switching to vim-gtk3. The vim-gtk alternatives weren't cleaned up, so there's a lot of noise during the upgrade about dangling links for alternatives and a window where the symlinks may not exist (#993766). [ Impact ] * Off chance that Vim crashes or twiddles some bits in memory it shouldn't be. [ Tests ] * The CVE fixes all come with tests from upstream. * I've manually tested the upgrade scenario described in #993766. The scary warnings about dangling links are fixed, but the scenario encountered (conffile editing needed with no alternative link in place) isn't something I see an obvious way to fix. I've also tested upgrading from current bullseye to the proposed changes. The most likely reason to encounter the bug is if /etc/vim/vimrc, which is a conffile, is modified, since it will cause dpkg's conffile prompt to happen. At this point, buster vim-gtk's files have been removed but vim-common is being configured before vim-gtk3, so the new alternatives haven't been established. The binaries are already in place, so the user can run vim.gtk3, but it's not what their fingers (or possibly $VISUAL/$EDITOR) expects to use. [ Risks ] Low risk. CVE fixes are pretty small and covered by new tests. The alternatives issue is targeted [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable * Aside from the vim-gtk -> vim-gtk3 change, which is buster -> bullseye specific. [ Changes ] attached [ Other info ] n/a
vim_8.2.2434-3+deb11u1.diff
Description: Binary data
--- End Message ---
--- Begin Message ---Package: release.debian.org Version: 11.2 Hi, All of the updates referred to by these bugs were included in this morning's bullseye point release. Regards, Adam
--- End Message ---
