Re: [SECURITY] [DLA 4018-1] ruby2.7 security update

[Lucas Kanashiro]

Hi,

On 27/01/2025 12:04, Sylvain Beucler wrote:

Hi,

Do we plan/want to fix these REXML vulnerabilities accordingly in 
ruby3.1 (6 postponed) and ruby3.3 (1 unfixed) ?


This sounds like a candidate for a (O)SPU task:
https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues


We (ruby maintainers) are planning a SPU to also fix another bug, we 
should squeeze in the no-DSA fixes as well.


For ruby3.3, we should update to the latest upstream patch release 
before the trixie release.


Cheers!

--
Lucas Kanashiro

Bug#1094590: libapache-mod-jk: Please package new upstream version: 1.2.50

[Santiago Ruano Rincón]

Source: libapache-mod-jk
Severity: important
User: debian-lts@lists.debian.org
Usertags: upstream-trixie
X-Debbugs-Cc: debian-lts@lists.debian.org

Dear libapache-mod-jk maintainer(s),

Testing (trixie) currently ships libapache-mod-jk 1.2.49.  Upstream released
the latest version, 1.2.50, on August 12th 2024.

While I am not aware of any release schedule and EOL policy for
libapache-mod-jk, I would say that the more recent release can be included
in trixie, the better. And the easier would be to provide security
updates to the users during the trixie life cycle. It is worth noting
that upstream has already fixed a (minor) security issues, with
v1.2.50:
https://security-tracker.debian.org/tracker/CVE-2024-46544.

If you need or want help packaging this recent upstream version, please
don't hesitate to speak up.  Someone from the LTS team may be interested
in contributing (CC'ing debian-lts).

Best regards,

 -- Santiago, for the LTS Team.


signature.asc
Description: PGP signature