Hi, Quagga 1.1.0 is currently in unstable and testing. I'd like to upload quagga 1.1.1 to fix #852454 (CVE-2017-5495). Quagga ships with some shared libraries that are intended for internal use (common code between the various quagga routing daemons). These internal libraries have always had SONAME 0 up until now. At some point between Quagga 0.99.24 and 1.1.0, the ABI on these dynamic libraries changed, and it was recently reported upstream as a bug against 1.1.0 [0]. Subsequently, between Quagga 1.1.0 and 1.1.1, upstream has bumped the SONAME on one of the libraries [1][2]. I'm looking for advice on what to do in this situation as the ABI change has already occurred on the package that is already in testing. Quagga has no reverse dependencies in Debian that link to these shared libraries. Should I still go through the transition process before uploading 1.1.1? As the quagga binary packages have cross-dependencies on the same version as each other, linking Quagga executables against different versions of the shared libraries couldn't occur with Debian packages. The only way that this ABI change could cause issues is the way that it did in [0], where the user was compiling different versions of quagga and linking them against the packaged shared libraries. Any advice would be appreciated. [0] https://lists.quagga.net/pipermail/quagga-dev/2016-December/033087.html [1] https://lists.quagga.net/pipermail/quagga-dev/2017-January/033175.html [2] http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=99e00a19bb8afcf081d1551b886c6d85188e6c60 -- Regards, Scott.
Attachment:
signature.asc
Description: Digital signature