Bug#985592: unblock: libnbd/1.6.2-1
Hi Hilko,
On Thu, Mar 25, 2021 at 10:04:46PM +0100, Salvatore Bonaccorso wrote:
> Hi Hilko,
>
> On Sat, Mar 20, 2021 at 06:24:57PM +0100, Sebastian Ramacher wrote:
> > Control: tags -1 + moreinfo
> >
> > On 2021-03-20 15:27:28 +0100, Salvatore Bonaccorso wrote:
> > > Package: release.debian.org
> > > Severity: normal
> > > User: release.debian.org@packages.debian.org
> > > Usertags: unblock
> > > X-Debbugs-Cc: carnil@debian.org,bengen@debian.org
> > >
> > > Hi Release team
> > >
> > > [Disclaimer, not the maintainer requesting the unblock, but I'm CC'ing
> > > Hilko to confirm].
> > >
> > > Please unblock package libnbd
> > >
> > > [ Reason ]
> > > The new upstream version uploaded libnbd/1.6.2-1 contains as fix for
> > > CVE-2021-20286. I was announced as
> > > https://listman.redhat.com/archives/libguestfs/2021-March/msg00092.html
> > > . An isolated fix was
> > > https://gitlab.com/nbdkit/libnbd/-/commit/2216190ecbbd853648df6a3280c17b345b0907a0
> > > . The request is done to have bullseye without this CVE open.
> > >
> > > [ Impact ]
> > > Denial of service.
> > >
> > > [ Tests ]
> > > I have not performed tests specific to the version update 1.6.1 to
> > > 1.6.2.
> > >
> > > [ Risks ]
> > > Arguably there is a new upstream version, but the attached debdiff
> > > collects all the changes additionally done.
> > >
> > > Again, Hilko is CC'ed to confirm if this is safe for bullseye.
> > >
> > > [ Checklist ]
> > > [ ] all changes are documented in the d/changelog
> > > [ ] I reviewed all changes and I approve them
> > > [x] attach debdiff against the package in testing
> > >
> > > [ Other info ]
> > > It should propably have an explicit acknowledgment for the unblock
> > > from Hilko.
> >
> > Please remove the moreinfo tag once ACKed by Hilko.
>
> Any input on this? Or was the version not aimed for bullseye?
Friendly ping. Di you got my email?
Now there was a new upstream version uploaded to unstable, so this is
going to be a bigger diff.
Regards,
Salvatore
Reply to: