Bug#1107225: pre-approval: isc-kea/2.6.3-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1107225: pre-approval: isc-kea/2.6.3-1
From: Paride Legovini <paride@debian.org>
Date: Tue, 03 Jun 2025 12:00:33 +0200
Message-id: <[🔎] 174894483328.1013192.1963684747333824109.reportbug@ossimoro>
Reply-to: Paride Legovini <paride@debian.org>, 1107225@bugs.debian.org

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: isc-kea@packages.debian.org, paride@debian.org, carnil@debian.org, athos.ribeiro@canonical.com
Control: affects -1 + src:isc-kea
User: release.debian.org@packages.debian.org
Usertags: unblock

Hello, I'm seeking for pre-approval for uploading isc-kea 2.6.3-1,
replacing 2.6.1-2 currently in testing. I reviewed the upstream
changelog, and versions 2.6.2 and 2.6.3 only add bug fixes and security
fixes, see:

https://gitlab.isc.org/isc-projects/kea/-/blob/Kea-2.6.3/ChangeLog

[ Reason ]

New upstream version 2.6.3 (released on May 28) fixes three CVEs,
tracked in #1106737. As I noted in message 27, the most worrisome issues
seems to be fixed already in Debian, however:

(1) Following upstream may avoid security surprises, as upstream is
where we can expect most security scrutiny.

(2) We can drop some quilt patches due to the fixes now being
implemented upstream.

(3) The upload does fix the issue about the lease files being
world-readable.

Moreover, Salvatore (carnil) mentioned on IRC that more sophisticated
attack vectors exist, see e.g.:

https://www.openwall.com/lists/oss-security/2025/05/28/11

I think Debian should stay where more eyes are looking.

[ Impact ]

Best case: Debian users remain affected by some not-too-severe security
issues, e.g. world-readable lease-files.

Worst case: Debian remains vulnerable to some of the high severity
issues, but in a non-obvious way because we diverge from upstream.

[ Tests ]

The package has non-superficial autopkgtests.

[ Risks ]

Some of the other bugfixes in 2.6.2 and 2.6.3 may cause unexpected
changes in how the package behaves. It is however to be noted that for
people doing stable-to-stable upgrades, the big jump will be from
version 2.2.0 in Bookworm to version 2.6.x in Trixie. What is proposed
here is minor compared to that.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

Given that upstream is the same and the version scheme is the same, it
makes sense here to apply the same policies that are already in place
for ISC Bind.

I'm attaching a full debdiff, but also see this salsa branch, with the
salsa pipeline enabled:

https://salsa.debian.org/paride/isc-kea/-/tree/package-2.6.3

Attachment: isc-kea_2.6.1-2_2.6.3-1.debdiff.xz
Description: application/xz

Reply to:

Follow-Ups:
- Processed: pre-approval: isc-kea/2.6.3-1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Processed: Re: Bug#1107225: pre-approval: isc-kea/2.6.3-1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1107225: pre-approval: isc-kea/2.6.3-1
  - From: Sebastian Ramacher <sramacher@debian.org>
- Bug#1107225: marked as done (pre-approval: isc-kea/2.6.3-1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: pre-approval: isc-kea/2.6.3-1
Next by Date: Processed: Re: Bug#1107225: pre-approval: isc-kea/2.6.3-1
Previous by thread: Bug#1107218: marked as done (unblock: python-hypothesis/6.130.5-2)
Next by thread: Processed: pre-approval: isc-kea/2.6.3-1
Index(es):
- Date
- Thread