Re: updating non-free nvidia-graphics-drivers in stretch for CVE-2021-1056

[Ola Lundqvist <ola@inguza.com>]

Hi Andreas

Stretch is managed by the LTS team. For information about the procedures to get it updated I refer you to this page.

https://wiki.debian.org/LTS/Development

I guess we need to wait until buster has got it updated, if not we may end up in strange version handling.

If there is anything you would like assistance with, please let me know.

Cheers

// Ola

On Fri, 22 Jan 2021 at 20:56, Andreas Beckmann <anbe@debian.org> wrote:

Hi,

I'd like to update src:nvidia-graphics-drivers in stretch from 390.138-1
to 390.141-1 which fixes CVE-2021-1056 (#979670).

For stable, the non-free nvidia drivers are usually updated to new
upstream releases fixing CVEs via stable-pu in point releases without
issuing DSA.
What needs to be done to get the package updated in stretch?

The 390.141 driver version is currently available in
sid/bullseye/buster-backports as
src:nvidia-graphics-drivers-legacy-390xx and has been requested for
buster-pu (as src:nvidia-graphics-drivers-legacy-390xx) in #980201. So
far we haven't heard about any issues with this driver, but there are
still some people that use it for legacy hardware. (AFAIK, the Debian
NVIDIA Maintainers don't have any legacy devices where we could test
functionality of this driver.) As usual, these new upstream releases for
stable are accompanied by some packaging improvements to keep the
different drivers in sync (there are currently 7 driver series in sid, 1
in NEW and bullseye is supposed to ship with 4 or 5 of them.)


Andreas

--

 --- Inguza Technology AB --- MSc in Information Technology ----

|  ola@inguza.com                    opal@debian.org            |

|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

 ---------------------------------------------------------------