Bug#962067: buster-pu: package dbus/1.12.20-0+deb10u1

To: Simon McVittie <smcv@debian.org>, 962067@bugs.debian.org
Cc: kibi@debian.org, debian-boot@lists.debian.org
Subject: Bug#962067: buster-pu: package dbus/1.12.20-0+deb10u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sun, 05 Jul 2020 15:17:21 +0100
Message-id: <[🔎] 58c8c127410d3d82c34c26eb947dcbe7e146dfd6.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 962067@bugs.debian.org
In-reply-to: <[🔎] 20200705122413.GA257742@espresso.pseudorandom.co.uk>
References: <20200602202222.GA107634@espresso.pseudorandom.co.uk> <20200602202222.GA107634@espresso.pseudorandom.co.uk> <189002f264505f8b3bceb4e32c68167254c5e44e.camel@adam-barratt.org.uk> <[🔎] 20200705122413.GA257742@espresso.pseudorandom.co.uk> <20200602202222.GA107634@espresso.pseudorandom.co.uk>

On Sun, 2020-07-05 at 13:24 +0100, Simon McVittie wrote:
> Control: retitle -1 buster-pu: package dbus/1.12.20-0+deb10u1
> 
> On Sat, 20 Jun 2020 at 20:26:24 +0100, Adam D. Barratt wrote:
> > On Tue, 2020-06-02 at 21:22 +0100, Simon McVittie wrote:
> > > dbus 1.12.18 fixes a local denial of service vulnerability for
> > > which the Security Team have indicated they do not intend to
> > > issue a DSA.
> > > 
> > > If possible I would like to use upstream 1.12.x versions of dbus
> > > for buster (security and) stable updates, similar to the policy
> > > used in stretch and jessie. This branch includes security fixes
> > > and selected non-intrusive bug fixes (and unfortunately also the
> > > usual Autotools noise).
> > > 
> > 
> > That sounds OK to me, but will need the usual KiBi-ack due to the
> > udeb.
> 
> I have now released 1.12.20 upstream. This fixes a long-standing
> use-after-free if two usernames have the same numeric uid (which is
> potentially a security fix if you have such usernames), and a
> regression on Solaris derivatives. Does this still look OK for
> buster-pu? (Diff since the version you already saw attached - I
> haven't bothered to filter out the Autotools noise this time, because
> there is much less of it.)

I'd be OK with that from the SRM side (with the remaining d-i caveat).

> I've asked the security team whether they will now want a DSA for the
> use-after-free, but I suspect the answer will be "no, talk to the
> stable release team" so I'm asking preemptively.
> 
> For #962068, dbus 1.10.30 -> 1.10.32 has a remarkably similar diff
> (it's a cherry-pick of the same commits as in 1.12.20). I assume the
> judgement on that from both the security team and the stable release
> team will be the same as for buster, unless the stretch EOL has
> already happened by the time we get there.

My understanding is that security support for stretch ended yesterday.
(We've ended up with an extra week for fixes via opu due to
availability of people for the point release.)

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#962067: buster-pu: package dbus/1.12.20-0+deb10u1
  - From: Cyril Brulebois <kibi@debian.org>

References:
- Bug#962067: buster-pu: package dbus/1.12.20-0+deb10u1
  - From: Simon McVittie <smcv@debian.org>

Prev by Date: Bug#898826: Re: stretch-pu: package profphd in strech unusable
Next by Date: Processed: limit package to release.debian.org, user release.debian.org@packages.debian.org ..., tagging 898826 ...
Previous by thread: Re: Processed: Re: Bug#962067: buster-pu: package dbus/1.12.20-0+deb10u1
Next by thread: Bug#962067: buster-pu: package dbus/1.12.20-0+deb10u1
Index(es):
- Date
- Thread