Hi,
On 30/12/2024 21:12, Salvatore Bonaccorso wrote:
Hi,
On Sun, Dec 01, 2024 at 10:14:16PM +0100, Lee Garrett wrote:
Hi,
these three CVEs are now fixed in buster and bullseye. This means users who
upgrade to bookworm will be vulnerable to those issues again. Can we get a
decision from the release team on this bug? Is there any information missing
to make a decision?
What is the status on this?
Lee, I have not looked at all the changes between the current bookworm
version and trixie, but you might need to bake-out changes not
suitable for bookworm.
I reviewed the changes. They're mostly fixes to packaging bugs (e.g. missing
depends, non-user visible changes like file renames in the source package,
bugfixes to autopkgtests, updated control fields) and I believe they're suitable
for the inclusion in bookworm. So I went ahead and uploaded the package I had
prepared in August.
The alternative is actually to otherwise do a new upstream version
import on top of the current packaging. Looking in particular on the
2.90-1 changelog there might be much packaging overhaul as well.
Hope that helps. I think it will now be too late for 12.9 in a few
days but ideally those CVE fixes are landing for 12.10.
Regards,
Salvatore
Best wishes and happy new year's eve celebrations,
Lee
