Re: ceph 14.2.22 for bullseye

To: "Daniel Baumann" <daniel@debian.org>, debian-lts@lists.debian.org
Subject: Re: ceph 14.2.22 for bullseye
From: "Chris Lamb" <lamby@debian.org>
Date: Tue, 31 Dec 2024 14:39:20 +0000
Message-id: <[🔎] 9541cacd-fec5-448b-8212-8156fa7a8f78@app.fastmail.com>
In-reply-to: <[🔎] cc116735-67af-4f72-a772-9bd162a39727@app.fastmail.com>
References: <[🔎] 5f7b0ed1-e2be-4739-9800-98245c33d70a@debian.org> <[🔎] cc116735-67af-4f72-a772-9bd162a39727@app.fastmail.com>

hello Daniel,

>> Please let me know if you'd like me to change anything (here or on
>> #debian-lts), or if I can proceed to upload.

I've taken a look at the proposed package and compared it with the 4
CVEs marked as outstanding against the ceph package currently in LTS.

* CVE-2023-43040: This is the RGW-related one you believe is not
  valid/applicable for LTS, right?

* CVE-2022-3650: I don't see the relevant changes for this CVE in the
  proposed package.

* CVE-2022-0670: Ditto this one.

* CVE-2022-0670: ... and this one also.

What am I missing? :-)

§

Separate to that, just to note that the debdiff is quite substantial:

   https://people.debian.org/~lamby/debdiff-ceph.txt.xz

I'm guessing, however, that ceph is perhaps one of those packages
where uploading the point release is still going to be better than
trying to individually patch it.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

Reply to:

References:
- ceph 14.2.22 for bullseye
  - From: Daniel Baumann <daniel@debian.org>
- Re: ceph 14.2.22 for bullseye
  - From: "Chris Lamb" <lamby@debian.org>

Prev by Date: Re: Fixing src:ucf environmnent variable insecurity in [old]stable
Next by Date: Re: Revisiting some old DLAs
Previous by thread: Re: ceph 14.2.22 for bullseye
Next by thread: Re: twitter-bootstrap3/4 support
Index(es):
- Date
- Thread