[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#991811: marked as done (buster-pu:package libapache2-mod-auth-openidc/2.4.9-1~deb10u1 (pre-approval))

Your message dated Sat, 10 Sep 2022 19:33:35 +0100
with message-id <dba75533a854be0a8dd4bd97732f283406bdc58a.camel@adam-barratt.org.uk>
and subject line Re: Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
has caused the Debian Bug report #991811,
regarding buster-pu:package libapache2-mod-auth-openidc/2.4.9-1~deb10u1 (pre-approval)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
991811: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991811
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libapache2-mod-auth-openidc

currently the version 2.4.4.1-2 of libapache2-mod-auth-openidc is in
testing/bullseye . Some days ago four CVE security bugs were published
which are fixed in version 2.4.9 .

The fix to CVE-2021-32791 looks quite big, so that I think it is not
safe to backport it to 2.4.4.1 like the others could be.

I uploaded the latest upstream (2.4.9) rather than try to
backport the fixes to 2.4.4.

unblock libapache2-mod-auth-openidc/2.4.9-1

-- System Information:
Debian Release: 10.10
  APT prefers stable-updates
  APT policy: (600, 'stable-updates'), (600, 'stable'), (500, 'oldstable'), (90, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-17-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---
--- Begin Message --- 
On Thu, 2021-09-30 at 20:43 +0100, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
> 
> On Mon, 2021-08-23 at 14:46 +0200, Salvatore Bonaccorso wrote:
> > Hi Christoph,
> > 
> > On Mon, Aug 23, 2021 at 01:17:18PM +0200, Christoph Martin wrote:
> > > Hi Salvatore,
> > > 
> > > Am 19.08.21 um 21:32 schrieb Salvatore Bonaccorso:
> > > > Hi Christoph,
> > > > 
> > > > On Tue, Aug 10, 2021 at 01:42:32PM +0200, Christoph Martin
> > > > wrote:
> > > > > Dear Security Team,
> > > > > 
> > > > > the fixed version is now in bullseye. Thanks for that.
> > > > > 
> > > > > What is the plan for buster and stretch? Do you prepare
> > > > > fixes?
> > > > 
> > > > thanks for following up on that. For buster, can you fix those
> > > > issues,
> > > > and ideally as well CVE-2019-14857 (#942165) and CVE-2019-20479
> > > > via an
> > > > upcoming buster point release?
> > > 
> > > Ok. I prepare that update. That would be a version 2.4.9-
> > > 1~deb11u1
> > > ?
> > 
> > Depends (but then ~deb10u1). Why i say depends: buster has
> > currently
> > 2.3.10.2-1, and I'm not sure if we can be confident to bump the
> > version from 2.3.10.2 upstream to 2.4.9? This has to be acked by
> > the
> > release team if suitable.
> > 
> > If SRM agree on importing the 2.4.9 version: if it is merely a
> > rebuild
> > of the bullseye package back for buster, then 2.4.9-1~deb10u1 would
> > be
> > good, if it's an import of new upstream on top of the current
> > packaging instead I would choose 2.4.9-0+deb10u1.
> > 
> > But the most important question here is if SRM agree on bumping the
> > version to 2.4.9.
> 
> We'd really need to see what that looks like first.

Unfortunately we never did, and the final point release for buster was
earlier today. I'm therefore closing this request.

Regards,

Adam

--- End Message ---
Reply to: