Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
- To: Salvatore Bonaccorso <carnil@debian.org>, 991811@bugs.debian.org, Christoph Martin <martin@uni-mainz.de>
- Cc: Debian Security Team <team@security.debian.org>
- Subject: Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Thu, 30 Sep 2021 20:43:11 +0100
- Message-id: <[🔎] 028c73b474f89d02659a11e37daa32b0622aaf46.camel@adam-barratt.org.uk>
- Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 991811@bugs.debian.org
- In-reply-to: <YSOYled+M8z4Zi53@eldamar.lan>
- References: <162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box> <162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box> <85e844da-8531-5c68-7702-18a223895bb9@debian.org> <YQzlmRyxE/1myMAZ@eldamar.lan> <d0518f3d-83dc-8fb2-5eaf-69dd5290bd35@uni-mainz.de> <162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box> <ae888395-9596-a900-af7e-e25831dc0c3d@uni-mainz.de> <YR6xsjNbw94xGbcs@eldamar.lan> <162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box> <ec633a34-e8a9-874f-5ad2-1a6e1b26c488@uni-mainz.de> <162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box> <YSOYled+M8z4Zi53@eldamar.lan> <162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box>
Control: tags -1 + moreinfo
On Mon, 2021-08-23 at 14:46 +0200, Salvatore Bonaccorso wrote:
> Hi Christoph,
>
> On Mon, Aug 23, 2021 at 01:17:18PM +0200, Christoph Martin wrote:
> > Hi Salvatore,
> >
> > Am 19.08.21 um 21:32 schrieb Salvatore Bonaccorso:
> > > Hi Christoph,
> > >
> > > On Tue, Aug 10, 2021 at 01:42:32PM +0200, Christoph Martin wrote:
> > > > Dear Security Team,
> > > >
> > > > the fixed version is now in bullseye. Thanks for that.
> > > >
> > > > What is the plan for buster and stretch? Do you prepare fixes?
> > >
> > > thanks for following up on that. For buster, can you fix those
> > > issues,
> > > and ideally as well CVE-2019-14857 (#942165) and CVE-2019-20479
> > > via an
> > > upcoming buster point release?
> >
> > Ok. I prepare that update. That would be a version 2.4.9-1~deb11u1
> > ?
>
> Depends (but then ~deb10u1). Why i say depends: buster has currently
> 2.3.10.2-1, and I'm not sure if we can be confident to bump the
> version from 2.3.10.2 upstream to 2.4.9? This has to be acked by the
> release team if suitable.
>
> If SRM agree on importing the 2.4.9 version: if it is merely a
> rebuild
> of the bullseye package back for buster, then 2.4.9-1~deb10u1 would
> be
> good, if it's an import of new upstream on top of the current
> packaging instead I would choose 2.4.9-0+deb10u1.
>
> But the most important question here is if SRM agree on bumping the
> version to 2.4.9.
We'd really need to see what that looks like first.
Regards,
Adam
Reply to: