Bug#1035748: unblock: modsecurity/3.0.9-1

To: Salvatore Bonaccorso <carnil@debian.org>
Cc: Paul Gevers <elbrus@debian.org>, 1035748@bugs.debian.org, Ervin Hegedüs <airween@gmail.com>
Subject: Bug#1035748: unblock: modsecurity/3.0.9-1
From: Alberto Gonzalez Iniesta <agi@inittab.org>
Date: Sun, 28 May 2023 21:30:55 +0200
Message-id: <[🔎] ZHOr75P4ENeOgO9P@var.inittab.org>
Reply-to: Alberto Gonzalez Iniesta <agi@inittab.org>, 1035748@bugs.debian.org
In-reply-to: <[🔎] ZHJpFwGfHEwsHKv8@eldamar.lan>
References: <168356261184.101117.8241276422866397839.reportbug@var.inittab.org> <168356261184.101117.8241276422866397839.reportbug@var.inittab.org> <168356261184.101117.8241276422866397839.reportbug@var.inittab.org> <[🔎] 3faeb882-55b5-f5b0-4f36-6501eb68234a@debian.org> <[🔎] ZHJpFwGfHEwsHKv8@eldamar.lan> <168356261184.101117.8241276422866397839.reportbug@var.inittab.org>

Hi, Salvatore. Thanks for the heads up!

Hi, Paul et al.

Answering the questions on the referred page:
1) Yes, mainly a bugfix release as noted in its changelog [1]
2) The risks on the release quality are almost zero. Only
libnginx-mod-http-modsecurity depends on it (being modsecurity a
library).
3) No idea
4) No idea
5) Yes, including its Debian co-maintainer, Ervin Hegedus.
6) Yes
7) Its too long but mainly because of line numbers being updated in code
comments, like:
-#line 1459 "seclang-parser.yy"
+#line 1461 "seclang-parser.yy"
8) Not that many code changes
9) Not that difficult :-)

Cheers,

Alberto



[1] https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.9



On Sat, May 27, 2023 at 10:33:27PM +0200, Salvatore Bonaccorso wrote:
> Hi Alberto,
> 
> On Wed, May 24, 2023 at 12:26:33PM +0200, Paul Gevers wrote:
> > control: tags -1 moreinfo
> > 
> > Hi,
> > 
> > On Mon, 08 May 2023 18:16:51 +0200 Alberto Gonzalez Iniesta
> > <agi@inittab.org> wrote:
> > > A new upstream version of modsecurity fixes a security bug
> > > (CVE-2023-28882, #1035083).
> > > We also fixed a FTBFS in the meantime (#1034760).
> > > Also nginx moved to pcre2, which we also did after the current version
> > > in bookworm.
> > 
> > Your message didn't reach our mail list, which typically is a bad sign
> > because it means your debdiff is big. New upstream releases are typically
> > not what we consider targeted fixes which are all we accept in this phase of
> > the release. Please read the FAQ [1] and provide all relevant information
> > pointed out there, particularly about upstream's policy on new releases.
> 
> Did you saw Paul's query? I'm asking since the deadline for unblock
> requests is tomorrow already.
> 
> Regards,
> Salvatore

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
mailto/sip: agi@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55

Reply to:

References:
- Bug#1035748: unblock: modsecurity/3.0.9-1
  - From: Paul Gevers <elbrus@debian.org>
- Bug#1035748: unblock: modsecurity/3.0.9-1
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#1036894: unblock: closure-compiler/20130227+rhino-1
Next by Date: Processed: unblock: vdr-plugin-xineliboutput/2.2.0+git20211212-2.2
Previous by thread: Bug#1035748: unblock: modsecurity/3.0.9-1
Next by thread: Bug#1036678: unblock: ffmpeg/7:5.1.3-1
Index(es):
- Date
- Thread