Hi Gregor, On Tue, May 23, 2023 at 02:56:41PM +0200, Salvatore Bonaccorso wrote: > Hi Gregor, > > On Tue, May 23, 2023 at 08:44:48AM +0200, Gregor Jasny wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian....@packages.debian.org > > Usertags: unblock > > X-Debbugs-Cc: c-a...@packages.debian.org > > Control: affects -1 + src:c-ares > > > > Hello, > > > > [ Reason ] > > > > yesterday a version 1.19.1 of c-ares was release which fixes four CVEs. > > The Debian Security team considers two of them relevant for Debian and > > I'd like to cherry-pick them into the unstable package so that the fixes > > can migrate to Bookworm. > > > > Attached you'll find the debdiff. The changes are also visible in Salsa: > > https://salsa.debian.org/debian/c-ares/-/compare/debian%2F1.18.1-2...master?from_project_id=11264&straight=false > > > > [ Impact ] > > > > CVE-2023-31130 has a CVSS score of 4.1 > > CVE-2023-32067 has a CVSS score of 7.5 > > > > [ Tests ] > > > > On the experimental branch I enabled the unit and integration tests: > > would you consider that commit as acceptable, too? > > https://salsa.debian.org/debian/c-ares/-/commit/25f515f728eeae82013a9c1cb8aa6ce80e913d09 > > > > [ Risks ] > > > > The fix for the 0-byte DoS issue seems to be straight-forward. > > The fix for inet_net_pton_ipv6 has been synced from OpenBSD and > > is covered by the unit tests. > > > > Both changes are port of the 1.19.1 release which built and passed > > tests on experimental (except Hurd): > > https://buildd.debian.org/status/package.php?p=c-ares&suite=experimental > > > > [ Checklist ] > > [x] all changes are documented in the d/changelog > > [x] I reviewed all changes and I approve them > > [x] attach debdiff against the package in testing > > > > unblock c-ares/1.18.1-3 > > Glad to see you worked on it already. I was on it today to propose a > NMU, due to the deadline for bookworm approaching quickly, until > Moritz pointed out to me that you did already filled a unblock > request pre-approval. > > Attached for reference what I did, and so they match. Release team, > can you accept it as we would like to see as well a bullseye-security > upload for the same two CVEs and avoid a regression > bullseye->bookworm? > > Leaving open the question on enabling the testsuite.
Since deadline for unblock requests is approaching quickly I suggest to focus on the isolated security fixes only. Last possibility to get packages unblocked is 2023-05-28 12:00 UTC. Regards, Salvatore
