Re: Issues fixed in buster and bookworm but not in bullseye
Some follow-up on mydumper.
On Wed, Sep 03, 2025 at 05:06:55PM +0200, Lee Garrett wrote:
> On 26/09/2025 23:38, Adrian Bunk wrote:
> > mydumper:
> > No action after receiving instructions from SRM in May (#1106790).
>
> FWIW, I have fixed CVE-2025-30224 in the bookworm and the sid branch in May,
> and also pushed the changes to the packaging repo. I have uploaded +deb12u2
> back then and it's been waiting in bookworm-new since. Because the package
> in sid has bitrot and FTBFS, it can't be fixed without also bumping the
> upstream release and doing major packaging work.
>
> Since the maintainer of mydumper is also inactive on all the other packages
> they own, I have notified the MIA team in May and the ball is in their
> hands. mydumper is not in trixie or forky due to RC bugs. I've now filed a
> RoQA to remove it in unstable, and also pinged the bug so the upload gets
> sent to b-p-u. As such there's nothing left to do on our side.
>
It looks like Otto took over the package and uploaded to sid just
yesterday (2025-09-09) and that his upload includes your CVE-2025-30224
fix. Otto also appears to have commented on #1106790 with a note about
welcoming collaboration. That part seems clear to me, and it is a good
development that makes it seem like the package will receive active
maintenance and attention.
Perhaps SRM will move soon to accept the package that is waiting in
bookworm-new.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: