Control: tags -1 confirmed On 2025-06-03 12:00:33 +0200, Paride Legovini wrote: > Package: release.debian.org > Severity: normal > X-Debbugs-Cc: [email protected], [email protected], > [email protected], [email protected] > Control: affects -1 + src:isc-kea > User: [email protected] > Usertags: unblock > > Hello, I'm seeking for pre-approval for uploading isc-kea 2.6.3-1, > replacing 2.6.1-2 currently in testing. I reviewed the upstream > changelog, and versions 2.6.2 and 2.6.3 only add bug fixes and security > fixes, see: > > https://gitlab.isc.org/isc-projects/kea/-/blob/Kea-2.6.3/ChangeLog > > [ Reason ] > > New upstream version 2.6.3 (released on May 28) fixes three CVEs, > tracked in #1106737. As I noted in message 27, the most worrisome issues > seems to be fixed already in Debian, however: > > (1) Following upstream may avoid security surprises, as upstream is > where we can expect most security scrutiny. > > (2) We can drop some quilt patches due to the fixes now being > implemented upstream. > > (3) The upload does fix the issue about the lease files being > world-readable. > > Moreover, Salvatore (carnil) mentioned on IRC that more sophisticated > attack vectors exist, see e.g.: > > https://www.openwall.com/lists/oss-security/2025/05/28/11 > > I think Debian should stay where more eyes are looking. > > [ Impact ] > > Best case: Debian users remain affected by some not-too-severe security > issues, e.g. world-readable lease-files. > > Worst case: Debian remains vulnerable to some of the high severity > issues, but in a non-obvious way because we diverge from upstream. > > [ Tests ] > > The package has non-superficial autopkgtests. > > [ Risks ] > > Some of the other bugfixes in 2.6.2 and 2.6.3 may cause unexpected > changes in how the package behaves. It is however to be noted that for > people doing stable-to-stable upgrades, the big jump will be from > version 2.2.0 in Bookworm to version 2.6.x in Trixie. What is proposed > here is minor compared to that. > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > [ Other info ] > > Given that upstream is the same and the version scheme is the same, it > makes sense here to apply the same policies that are already in place > for ISC Bind.
ACK, please go ahead. Cheers > > I'm attaching a full debdiff, but also see this salsa branch, with the > salsa pipeline enabled: > > https://salsa.debian.org/paride/isc-kea/-/tree/package-2.6.3 -- Sebastian Ramacher
