Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1

To: Christoph Martin <martin@uni-mainz.de>, 991811@bugs.debian.org
Cc: Debian Security Team <team@security.debian.org>
Subject: Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 23 Aug 2021 14:46:13 +0200
Message-id: <[🔎] YSOYled+M8z4Zi53@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 991811@bugs.debian.org
In-reply-to: <[🔎] ec633a34-e8a9-874f-5ad2-1a6e1b26c488@uni-mainz.de>
References: <[🔎] 162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box> <[🔎] 162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box> <[🔎] 85e844da-8531-5c68-7702-18a223895bb9@debian.org> <YQzlmRyxE/1myMAZ@eldamar.lan> <[🔎] d0518f3d-83dc-8fb2-5eaf-69dd5290bd35@uni-mainz.de> <[🔎] 162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box> <[🔎] ae888395-9596-a900-af7e-e25831dc0c3d@uni-mainz.de> <[🔎] YR6xsjNbw94xGbcs@eldamar.lan> <[🔎] 162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box> <[🔎] ec633a34-e8a9-874f-5ad2-1a6e1b26c488@uni-mainz.de> <[🔎] 162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box>

Hi Christoph,

On Mon, Aug 23, 2021 at 01:17:18PM +0200, Christoph Martin wrote:
> Hi Salvatore,
> 
> Am 19.08.21 um 21:32 schrieb Salvatore Bonaccorso:
> > Hi Christoph,
> > 
> > On Tue, Aug 10, 2021 at 01:42:32PM +0200, Christoph Martin wrote:
> >> Dear Security Team,
> >>
> >> the fixed version is now in bullseye. Thanks for that.
> >>
> >> What is the plan for buster and stretch? Do you prepare fixes?
> > 
> > thanks for following up on that. For buster, can you fix those issues,
> > and ideally as well CVE-2019-14857 (#942165) and CVE-2019-20479 via an
> > upcoming buster point release?
> 
> Ok. I prepare that update. That would be a version 2.4.9-1~deb11u1 ?

Depends (but then ~deb10u1). Why i say depends: buster has currently
2.3.10.2-1, and I'm not sure if we can be confident to bump the
version from 2.3.10.2 upstream to 2.4.9? This has to be acked by the
release team if suitable.

If SRM agree on importing the 2.4.9 version: if it is merely a rebuild
of the bullseye package back for buster, then 2.4.9-1~deb10u1 would be
good, if it's an import of new upstream on top of the current
packaging instead I would choose 2.4.9-0+deb10u1.

But the most important question here is if SRM agree on bumping the
version to 2.4.9.

If feasible to cherry-pick the needed patches then this would be
2.3.10.2-1+deb10u1.

Does this help?

Regards,
Salvatore

Reply to:

Follow-Ups:
- Re: Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
  - From: Christoph Martin <martin@uni-mainz.de>

References:
- Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
  - From: Christoph Martin <chrism@debian.org>
- Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
  - From: Paul Gevers <elbrus@debian.org>
- Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
  - From: Christoph Martin <martin@uni-mainz.de>
- Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
  - From: Christoph Martin <martin@uni-mainz.de>
- Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
  - From: Christoph Martin <martin@uni-mainz.de>

Prev by Date: Bug#992787: release.debian.org: state/autopkgtest-results.cache keeps on growing
Next by Date: Bug#987013: Release goal proposal: Remove Berkeley DB
Previous by thread: Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
Next by thread: Re: Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
Index(es):
- Date
- Thread