Bug#985592: unblock: libnbd/1.6.2-1
Hi Hilko,
On Sat, Mar 20, 2021 at 06:24:57PM +0100, Sebastian Ramacher wrote:
> Control: tags -1 + moreinfo
>
> On 2021-03-20 15:27:28 +0100, Salvatore Bonaccorso wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian.org@packages.debian.org
> > Usertags: unblock
> > X-Debbugs-Cc: carnil@debian.org,bengen@debian.org
> >
> > Hi Release team
> >
> > [Disclaimer, not the maintainer requesting the unblock, but I'm CC'ing
> > Hilko to confirm].
> >
> > Please unblock package libnbd
> >
> > [ Reason ]
> > The new upstream version uploaded libnbd/1.6.2-1 contains as fix for
> > CVE-2021-20286. I was announced as
> > https://listman.redhat.com/archives/libguestfs/2021-March/msg00092.html
> > . An isolated fix was
> > https://gitlab.com/nbdkit/libnbd/-/commit/2216190ecbbd853648df6a3280c17b345b0907a0
> > . The request is done to have bullseye without this CVE open.
> >
> > [ Impact ]
> > Denial of service.
> >
> > [ Tests ]
> > I have not performed tests specific to the version update 1.6.1 to
> > 1.6.2.
> >
> > [ Risks ]
> > Arguably there is a new upstream version, but the attached debdiff
> > collects all the changes additionally done.
> >
> > Again, Hilko is CC'ed to confirm if this is safe for bullseye.
> >
> > [ Checklist ]
> > [ ] all changes are documented in the d/changelog
> > [ ] I reviewed all changes and I approve them
> > [x] attach debdiff against the package in testing
> >
> > [ Other info ]
> > It should propably have an explicit acknowledgment for the unblock
> > from Hilko.
>
> Please remove the moreinfo tag once ACKed by Hilko.
Any input on this? Or was the version not aimed for bullseye?
Regards,
Salvatore
Reply to: