Package: release.debian.org Severity: normal X-Debbugs-Cc: isc-kea@packages.debian.org, paride@debian.org, carnil@debian.org, athos.ribeiro@canonical.com Control: affects -1 + src:isc-kea User: release.debian.org@packages.debian.org Usertags: unblock Hello, I'm seeking for pre-approval for uploading isc-kea 2.6.3-1, replacing 2.6.1-2 currently in testing. I reviewed the upstream changelog, and versions 2.6.2 and 2.6.3 only add bug fixes and security fixes, see: https://gitlab.isc.org/isc-projects/kea/-/blob/Kea-2.6.3/ChangeLog [ Reason ] New upstream version 2.6.3 (released on May 28) fixes three CVEs, tracked in #1106737. As I noted in message 27, the most worrisome issues seems to be fixed already in Debian, however: (1) Following upstream may avoid security surprises, as upstream is where we can expect most security scrutiny. (2) We can drop some quilt patches due to the fixes now being implemented upstream. (3) The upload does fix the issue about the lease files being world-readable. Moreover, Salvatore (carnil) mentioned on IRC that more sophisticated attack vectors exist, see e.g.: https://www.openwall.com/lists/oss-security/2025/05/28/11 I think Debian should stay where more eyes are looking. [ Impact ] Best case: Debian users remain affected by some not-too-severe security issues, e.g. world-readable lease-files. Worst case: Debian remains vulnerable to some of the high severity issues, but in a non-obvious way because we diverge from upstream. [ Tests ] The package has non-superficial autopkgtests. [ Risks ] Some of the other bugfixes in 2.6.2 and 2.6.3 may cause unexpected changes in how the package behaves. It is however to be noted that for people doing stable-to-stable upgrades, the big jump will be from version 2.2.0 in Bookworm to version 2.6.x in Trixie. What is proposed here is minor compared to that. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] Given that upstream is the same and the version scheme is the same, it makes sense here to apply the same policies that are already in place for ISC Bind. I'm attaching a full debdiff, but also see this salsa branch, with the salsa pipeline enabled: https://salsa.debian.org/paride/isc-kea/-/tree/package-2.6.3
Attachment:
isc-kea_2.6.1-2_2.6.3-1.debdiff.xz
Description: application/xz