Bug#988225: buster-pu: package mapserver/7.2.2-2
Hi,
[Disclaimer not a release team member]
On Sat, May 08, 2021 at 08:08:26AM +0200, Bas Couwenberg wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian.org@packages.debian.org
> Usertags: pu
>
> CVE-2021-32062 as reported in #988208 also affects version 7.2 in buster.
>
> [ Reason ]
> Fix CVE-2021-32062.
>
> [ Impact ]
> Unfixed security issue.
>
> [ Tests ]
> Upstream CI.
>
> [ Risks ]
> Low.
>
> [ Checklist ]
> [x] *all* changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in (old)stable
> [ ] the issue is verified as fixed in unstable
>
> [ Changes ]
> A different VCS branch is used for buster, for which the packaging is updated.
>
> Both upstream patches are required to fix CVE-2021-32062.
> 0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is a dependency of 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch.
>
> The upstream changes introduce two symbols used to fix the issue, for which the symbols file is updated.
>
> lintian also reported a spelling error, which is left unfixed.
>
> [ Other info ]
> The fix for unstable is pending pre-approval, see: #988224.
>
> Kind Regards,
>
> Bas
> diff -Nru mapserver-7.2.2/debian/changelog mapserver-7.2.2/debian/changelog
> --- mapserver-7.2.2/debian/changelog 2019-02-20 05:43:10.000000000 +0100
> +++ mapserver-7.2.2/debian/changelog 2021-05-08 07:35:27.000000000 +0200
> @@ -1,3 +1,12 @@
> +mapserver (7.2.2-2) buster; urgency=high
To try to be consistent with versioning usually for stable, I would
suggest to use 7.2.2-1+deb10u1 (even if we know that 7.2.2-2 was never
in the archive).
Though that said, expceptions exits anyway.
Regards,
Salvatore
Reply to: