Hi! Thanks for preparing a LTS fix for privoxy. For reference, our full procedure is documented at: https://wiki.debian.org/LTS/Development To answer your points: - The debdiff looks good to me - Salvatore updated the CVE-2021-20274 status accordingly- 'minor issue' means there is not immediate urgency, so the buster/stable fixes may be delayed to a point release.
LTS does not have a point release system so an LTS upload sounds good.- Abhijith (in Cc:) announced his intention to work on the package yesterday [1], you probably can coordinate with him for the next steps, in particular who will take care of sending the e-mail and website announcements. [1] https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/dla-needed.txt
- If you plan to work on future LTS updates of privoxy and would like to be contacted before the LTS team starts working on an update, let us know and we'll add you in [2] [2] https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/packages/lts-do-call-me
Cheers! Sylvain On 08/03/2021 14:38, Roland Rosenfeld wrote:
Hi! (please Cc: me in reply, since I'm not subscribed to debian-lts) Privoxy upstream just released version 3.0.32, which fixes five new CVEs, which are also reported at security-tracker. I prepared a package that fixes CVE-2021-20272, CVE-2021-20273, CVE-2021-20275, and CVE-2021-20276. CVE-2021-20274 is missing, since this affects code, that was introduced in 3.0.29, so stretch package is not affected, since we shipped 3.0.26 in stretch. I requested on IRC #debian-security to tag stretch and buster as not affected for this CVE. Since all other CVEs are tagged "minor issue" on security-tracker, I'm not sure whether it's worth doing a LTS upload for this. If you think so, feel free to use it or tell me, what I have to do to upload it... A patch agains 3.0.26-3+deb9u1 is attached. Salsa pipeline was successful with this: https://salsa.debian.org/debian/privoxy/-/pipelines/237014 including the testsuite. Greetings Roland