Bug#956216: buster-pu: package systemd/241-7~deb10u3
Hi Michael,
[Giving my opinion only, final word is obviously to the release team]
On Wed, Apr 08, 2020 at 04:11:31PM +0200, Michael Biebl wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian.org@packages.debian.org
> Usertags: pu
>
> Hi,
>
> I'd like to make a stable/buster upload for systemd fixing CVE-2020-1712
> https://security-tracker.debian.org/tracker/CVE-2020-1712
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950732
>
> After talking to the security team (namely Salvatore), we decided to fix
> this issue via a stable upload.
>
> The debdiff is a bit on the larger side, unfortunately.
> Salvatore made a smaller backport avoiding some of the refactorings
> that were done upstream
> https://salsa.debian.org/systemd-team/systemd/-/merge_requests/69
>
> I decided to go with the backport provided by upstream that was done for
> the v241-stable branch mainly for two reasons:
> - It makes potential future cherry-picks easier
> - Doing our own backport has the potential to introduce Debian specific
> bugs
>
> That said, if you prefer the more minimal backport from Salvatore,
> please let me know and I'll redo the upload accordingly.
While I did the work, I would as well strongly prefer to go rather the
upstream route and be on safe side. I tried to diligently backport it
but as upstream did provide their own approach to v241 branch I think
this would be better by means of the two raised reasons from Michael
above.
Thank you Michael for working towards a fix for the issue for buster.
Regards,
Salvatore
Reply to: