Bug#1107225: pre-approval: isc-kea/2.6.3-1

To: Paride Legovini <paride@debian.org>, 1107225@bugs.debian.org
Subject: Bug#1107225: pre-approval: isc-kea/2.6.3-1
From: Sebastian Ramacher <sramacher@debian.org>
Date: Tue, 3 Jun 2025 13:06:41 +0200
Message-id: <[🔎] aD7XQf5OHcN9hM8J@ramacher.at>
Reply-to: Sebastian Ramacher <sramacher@debian.org>, 1107225@bugs.debian.org
In-reply-to: <[🔎] 174894483328.1013192.1963684747333824109.reportbug@ossimoro>
References: <[🔎] 174894483328.1013192.1963684747333824109.reportbug@ossimoro> <[🔎] 174894483328.1013192.1963684747333824109.reportbug@ossimoro>

Control: tags -1 confirmed

On 2025-06-03 12:00:33 +0200, Paride Legovini wrote:
> Package: release.debian.org
> Severity: normal
> X-Debbugs-Cc: isc-kea@packages.debian.org, paride@debian.org, carnil@debian.org, athos.ribeiro@canonical.com
> Control: affects -1 + src:isc-kea
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hello, I'm seeking for pre-approval for uploading isc-kea 2.6.3-1,
> replacing 2.6.1-2 currently in testing. I reviewed the upstream
> changelog, and versions 2.6.2 and 2.6.3 only add bug fixes and security
> fixes, see:
> 
> https://gitlab.isc.org/isc-projects/kea/-/blob/Kea-2.6.3/ChangeLog
> 
> [ Reason ]
> 
> New upstream version 2.6.3 (released on May 28) fixes three CVEs,
> tracked in #1106737. As I noted in message 27, the most worrisome issues
> seems to be fixed already in Debian, however:
> 
> (1) Following upstream may avoid security surprises, as upstream is
> where we can expect most security scrutiny.
> 
> (2) We can drop some quilt patches due to the fixes now being
> implemented upstream.
> 
> (3) The upload does fix the issue about the lease files being
> world-readable.
> 
> Moreover, Salvatore (carnil) mentioned on IRC that more sophisticated
> attack vectors exist, see e.g.:
> 
> https://www.openwall.com/lists/oss-security/2025/05/28/11
> 
> I think Debian should stay where more eyes are looking.
> 
> [ Impact ]
> 
> Best case: Debian users remain affected by some not-too-severe security
> issues, e.g. world-readable lease-files.
> 
> Worst case: Debian remains vulnerable to some of the high severity
> issues, but in a non-obvious way because we diverge from upstream.
> 
> [ Tests ]
> 
> The package has non-superficial autopkgtests.
> 
> [ Risks ]
> 
> Some of the other bugfixes in 2.6.2 and 2.6.3 may cause unexpected
> changes in how the package behaves. It is however to be noted that for
> people doing stable-to-stable upgrades, the big jump will be from
> version 2.2.0 in Bookworm to version 2.6.x in Trixie. What is proposed
> here is minor compared to that.
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
> 
> [ Other info ]
> 
> Given that upstream is the same and the version scheme is the same, it
> makes sense here to apply the same policies that are already in place
> for ISC Bind.

ACK, please go ahead.

Cheers

> 
> I'm attaching a full debdiff, but also see this salsa branch, with the
> salsa pipeline enabled:
> 
> https://salsa.debian.org/paride/isc-kea/-/tree/package-2.6.3



-- 
Sebastian Ramacher

Reply to:

References:
- Bug#1107225: pre-approval: isc-kea/2.6.3-1
  - From: Paride Legovini <paride@debian.org>

Prev by Date: Processed: Re: Bug#1107225: pre-approval: isc-kea/2.6.3-1
Next by Date: Bug#1107228: unblock: etbemon/1.4.1-2
Previous by thread: Processed: Re: Bug#1107225: pre-approval: isc-kea/2.6.3-1
Next by thread: Bug#1107225: marked as done (pre-approval: isc-kea/2.6.3-1)
Index(es):
- Date
- Thread