Hey Sylvain, On Wed, 2025-04-16 at 12:40 +0200, Sylvain Beucler wrote: > The patch looks good :) Thanks! > The LTS upload workflow is detailed at: > https://lts-team.pages.debian.net/wiki/Development.html > > As a DD you can do everything by yourself, but if you want I can take > care of the administrative side (registering a DLA, announcing it, etc.). Okay, cool - so I have made a source-only-upload to security-master and registered DLA-4129-1. Now I wait until they are built, fill out the announcement template and then I'll send it. > How did you test the update? On some (live) servers (that don't normally use the "OIDCProviderAuthRequestMethod POST" setting. ;) > There's a proof-of-concept for this CVE IIUC. There was no concrete info in the GHSA, so I used my NI[1] to come up with echo -e "GET /wp-login.php HTTP/1.1\r\nHost: <hostname>\r\nAccept: text/html\r\n\r\n" | openssl s_client -connect <hostname>:443 -ign_eof [1]: Natural Intelligence, SCNR ;) > We also try to run tests at Salsa-CI, with a LTS config: > https://lts-team.pages.debian.net/git-workflow-lts.html#add-salsa-ci-yml > You can push at your own repo at Salsa or at the lts-team repo is you > wish to keep LTS/ELTS history separate. Great - I added it to my Bullseye branch! Thanks, Moritz
Attachment:
signature.asc
Description: This is a digitally signed message part