Hi, Salvatore. Thanks for the heads up! Hi, Paul et al.
Answering the questions on the referred page: 1) Yes, mainly a bugfix release as noted in its changelog [1] 2) The risks on the release quality are almost zero. Only libnginx-mod-http-modsecurity depends on it (being modsecurity a library). 3) No idea 4) No idea 5) Yes, including its Debian co-maintainer, Ervin Hegedus. 6) Yes 7) Its too long but mainly because of line numbers being updated in code comments, like: -#line 1459 "seclang-parser.yy" +#line 1461 "seclang-parser.yy" 8) Not that many code changes 9) Not that difficult :-) Cheers, Alberto [1] https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.9 On Sat, May 27, 2023 at 10:33:27PM +0200, Salvatore Bonaccorso wrote: > Hi Alberto, > > On Wed, May 24, 2023 at 12:26:33PM +0200, Paul Gevers wrote: > > control: tags -1 moreinfo > > > > Hi, > > > > On Mon, 08 May 2023 18:16:51 +0200 Alberto Gonzalez Iniesta > > <a...@inittab.org> wrote: > > > A new upstream version of modsecurity fixes a security bug > > > (CVE-2023-28882, #1035083). > > > We also fixed a FTBFS in the meantime (#1034760). > > > Also nginx moved to pcre2, which we also did after the current version > > > in bookworm. > > > > Your message didn't reach our mail list, which typically is a bad sign > > because it means your debdiff is big. New upstream releases are typically > > not what we consider targeted fixes which are all we accept in this phase of > > the release. Please read the FAQ [1] and provide all relevant information > > pointed out there, particularly about upstream's policy on new releases. > > Did you saw Paul's query? I'm asking since the deadline for unblock > requests is tomorrow already. > > Regards, > Salvatore -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
