Hi, On 30/12/2024 21:12, Salvatore Bonaccorso wrote:
Hi, On Sun, Dec 01, 2024 at 10:14:16PM +0100, Lee Garrett wrote:Hi, these three CVEs are now fixed in buster and bullseye. This means users who upgrade to bookworm will be vulnerable to those issues again. Can we get a decision from the release team on this bug? Is there any information missing to make a decision?What is the status on this? Lee, I have not looked at all the changes between the current bookworm version and trixie, but you might need to bake-out changes not suitable for bookworm.
I reviewed the changes. They're mostly fixes to packaging bugs (e.g. missing depends, non-user visible changes like file renames in the source package, bugfixes to autopkgtests, updated control fields) and I believe they're suitable for the inclusion in bookworm. So I went ahead and uploaded the package I had prepared in August.
The alternative is actually to otherwise do a new upstream version import on top of the current packaging. Looking in particular on the 2.90-1 changelog there might be much packaging overhaul as well. Hope that helps. I think it will now be too late for 12.9 in a few days but ideally those CVE fixes are landing for 12.10. Regards, Salvatore
Best wishes and happy new year's eve celebrations, Lee