Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1

To: Christoph Martin <chrism@debian.org>, 991811@bugs.debian.org
Subject: Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
From: Paul Gevers <elbrus@debian.org>
Date: Fri, 6 Aug 2021 08:40:24 +0200
Message-id: <[🔎] 85e844da-8531-5c68-7702-18a223895bb9@debian.org>
Reply-to: Paul Gevers <elbrus@debian.org>, 991811@bugs.debian.org
In-reply-to: <[🔎] 162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box>
References: <[🔎] 162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box> <[🔎] 162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box>

Hi Christopher,

On 02-08-2021 13:33, Christoph Martin wrote:
> Please unblock package libapache2-mod-auth-openidc
> 
> currently the version 2.4.4.1-2 of libapache2-mod-auth-openidc is in
> testing/bullseye . Some days ago four CVE security bugs were published
> which are fixed in version 2.4.9 .
> 
> The fix to CVE-2021-32791 looks quite big, so that I think it is not
> safe to backport it to 2.4.4.1 like the others could be.
> 
> I uploaded the latest upstream (2.4.9) rather than try to
> backport the fixes to 2.4.4.

It's *very* late in the freeze so I need an answer *real soon*. You
didn't tell us how you tested the package, how upstream tested the
changes and how you *judge* the changes between bullseye and sid. I
can't estimate the risk by myself.

Paul

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
  - From: Christoph Martin <chrism@debian.org>

Prev by Date: Bug#991864: marked as done (unblock: i2c-tools/4.2-2)
Next by Date: Processed: moreinfo
Previous by thread: Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
Next by thread: Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
Index(es):
- Date
- Thread