Your message dated Fri, 6 Aug 2021 14:02:36 +0200 with message-id <3aed414c-7985-ac09-d788-198d394b0865@debian.org> and subject line Re: Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1 has caused the Debian Bug report #991811, regarding unblock: libapache2-mod-auth-openidc/2.4.9-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 991811: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991811 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: libapache2-mod-auth-openidc/2.4.9-1
- From: Christoph Martin <chrism@debian.org>
- Date: Mon, 02 Aug 2021 13:33:21 +0200
- Message-id: <[🔎] 162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package libapache2-mod-auth-openidc currently the version 2.4.4.1-2 of libapache2-mod-auth-openidc is in testing/bullseye . Some days ago four CVE security bugs were published which are fixed in version 2.4.9 . The fix to CVE-2021-32791 looks quite big, so that I think it is not safe to backport it to 2.4.4.1 like the others could be. I uploaded the latest upstream (2.4.9) rather than try to backport the fixes to 2.4.4. unblock libapache2-mod-auth-openidc/2.4.9-1 -- System Information: Debian Release: 10.10 APT prefers stable-updates APT policy: (600, 'stable-updates'), (600, 'stable'), (500, 'oldstable'), (90, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-17-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
- To: Christoph Martin <martin@uni-mainz.de>, 991811-done@bugs.debian.org
- Cc: Christoph Martin <chrism@debian.org>, Debian Security Team <team@security.debian.org>
- Subject: Re: Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
- From: Paul Gevers <elbrus@debian.org>
- Date: Fri, 6 Aug 2021 14:02:36 +0200
- Message-id: <3aed414c-7985-ac09-d788-198d394b0865@debian.org>
- In-reply-to: <[🔎] d0518f3d-83dc-8fb2-5eaf-69dd5290bd35@uni-mainz.de>
- References: <[🔎] 162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box> <[🔎] 162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box> <[🔎] 85e844da-8531-5c68-7702-18a223895bb9@debian.org> <YQzlmRyxE/1myMAZ@eldamar.lan> <[🔎] 162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box> <[🔎] d0518f3d-83dc-8fb2-5eaf-69dd5290bd35@uni-mainz.de>
Hi, On 06-08-2021 11:46, Christoph Martin wrote: > Am 06.08.21 um 09:32 schrieb Salvatore Bonaccorso: >>> >>> It's *very* late in the freeze so I need an answer *real soon*. You >>> didn't tell us how you tested the package, how upstream tested the >>> changes and how you *judge* the changes between bullseye and sid. I >>> can't estimate the risk by myself. >> >> From security team perspective, we could tend to confirm to be good >> option to actually go to 2.4.9 based version, if Christoph can confirm >> the above questions on testing. Was it tested in production >> environment as well? >> > > I have tested it in a production environment. > The package installs correctly on a bullseye system. > Upgrade of the package also works. > Login via our idp ist working as expected. > All expected env variables in phpinfo have the expected values. unblock hint added. Thanks. PaulAttachment: OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---