--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: libapache2-mod-auth-openidc/2.4.9-1
- From: Christoph Martin <chrism@debian.org>
- Date: Mon, 02 Aug 2021 13:33:21 +0200
- Message-id: <162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box>
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package libapache2-mod-auth-openidc
currently the version 2.4.4.1-2 of libapache2-mod-auth-openidc is in
testing/bullseye . Some days ago four CVE security bugs were published
which are fixed in version 2.4.9 .
The fix to CVE-2021-32791 looks quite big, so that I think it is not
safe to backport it to 2.4.4.1 like the others could be.
I uploaded the latest upstream (2.4.9) rather than try to
backport the fixes to 2.4.4.
unblock libapache2-mod-auth-openidc/2.4.9-1
-- System Information:
Debian Release: 10.10
APT prefers stable-updates
APT policy: (600, 'stable-updates'), (600, 'stable'), (500, 'oldstable'), (90, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-17-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
- To: 991811-done@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>, Christoph Martin <martin@uni-mainz.de>
- Cc: Debian Security Team <team@security.debian.org>
- Subject: Re: Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 10 Sep 2022 19:33:35 +0100
- Message-id: <dba75533a854be0a8dd4bd97732f283406bdc58a.camel@adam-barratt.org.uk>
- In-reply-to: <028c73b474f89d02659a11e37daa32b0622aaf46.camel@adam-barratt.org.uk>
- References: <162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box> <162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box> <85e844da-8531-5c68-7702-18a223895bb9@debian.org> <YQzlmRyxE/1myMAZ@eldamar.lan> <d0518f3d-83dc-8fb2-5eaf-69dd5290bd35@uni-mainz.de> <162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box> <ae888395-9596-a900-af7e-e25831dc0c3d@uni-mainz.de> <YR6xsjNbw94xGbcs@eldamar.lan> <162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box> <ec633a34-e8a9-874f-5ad2-1a6e1b26c488@uni-mainz.de> <162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box> <YSOYled+M8z4Zi53@eldamar.lan> <162790400181.14110.6123898805585025818.reportbug@inigo.fritz.box> <028c73b474f89d02659a11e37daa32b0622aaf46.camel@adam-barratt.org.uk>
On Thu, 2021-09-30 at 20:43 +0100, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
>
> On Mon, 2021-08-23 at 14:46 +0200, Salvatore Bonaccorso wrote:
> > Hi Christoph,
> >
> > On Mon, Aug 23, 2021 at 01:17:18PM +0200, Christoph Martin wrote:
> > > Hi Salvatore,
> > >
> > > Am 19.08.21 um 21:32 schrieb Salvatore Bonaccorso:
> > > > Hi Christoph,
> > > >
> > > > On Tue, Aug 10, 2021 at 01:42:32PM +0200, Christoph Martin
> > > > wrote:
> > > > > Dear Security Team,
> > > > >
> > > > > the fixed version is now in bullseye. Thanks for that.
> > > > >
> > > > > What is the plan for buster and stretch? Do you prepare
> > > > > fixes?
> > > >
> > > > thanks for following up on that. For buster, can you fix those
> > > > issues,
> > > > and ideally as well CVE-2019-14857 (#942165) and CVE-2019-20479
> > > > via an
> > > > upcoming buster point release?
> > >
> > > Ok. I prepare that update. That would be a version 2.4.9-
> > > 1~deb11u1
> > > ?
> >
> > Depends (but then ~deb10u1). Why i say depends: buster has
> > currently
> > 2.3.10.2-1, and I'm not sure if we can be confident to bump the
> > version from 2.3.10.2 upstream to 2.4.9? This has to be acked by
> > the
> > release team if suitable.
> >
> > If SRM agree on importing the 2.4.9 version: if it is merely a
> > rebuild
> > of the bullseye package back for buster, then 2.4.9-1~deb10u1 would
> > be
> > good, if it's an import of new upstream on top of the current
> > packaging instead I would choose 2.4.9-0+deb10u1.
> >
> > But the most important question here is if SRM agree on bumping the
> > version to 2.4.9.
>
> We'd really need to see what that looks like first.
Unfortunately we never did, and the final point release for buster was
earlier today. I'm therefore closing this request.
Regards,
Adam
--- End Message ---