[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: privoxy stretch package 3.0.26-3+deb9u2 prepared


Thanks for preparing a LTS fix for privoxy.

For reference, our full procedure is documented at:

To answer your points:

- The debdiff looks good to me

- Salvatore updated the CVE-2021-20274 status accordingly

- 'minor issue' means there is not immediate urgency, so the buster/stable fixes may be delayed to a point release.
LTS does not have a point release system so an LTS upload sounds good.

- Abhijith (in Cc:) announced his intention to work on the package yesterday [1], you probably can coordinate with him for the next steps, in particular who will take care of sending the e-mail and website announcements. [1] https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/dla-needed.txt

- If you plan to work on future LTS updates of privoxy and would like to be contacted before the LTS team starts working on an update, let us know and we'll add you in [2] [2] https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/packages/lts-do-call-me


On 08/03/2021 14:38, Roland Rosenfeld wrote:

(please Cc: me in reply, since I'm not subscribed to debian-lts)

Privoxy upstream just released version 3.0.32, which fixes five new
CVEs, which are also reported at security-tracker.

I prepared a package that fixes CVE-2021-20272, CVE-2021-20273,
CVE-2021-20275, and CVE-2021-20276.

CVE-2021-20274 is missing, since this affects code, that was
introduced in 3.0.29, so stretch package is not affected, since we
shipped 3.0.26 in stretch.  I requested on IRC #debian-security to
tag stretch and buster as not affected for this CVE.

Since all other CVEs are tagged "minor issue" on security-tracker, I'm
not sure whether it's worth doing a LTS upload for this.

If you think so, feel free to use it or tell me, what I have to do to
upload it...

A patch agains 3.0.26-3+deb9u1 is attached.

Salsa pipeline was successful with this:
https://salsa.debian.org/debian/privoxy/-/pipelines/237014 including
the testsuite.


Reply to: