[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1107225: marked as done (pre-approval: isc-kea/2.6.3-1)

Your message dated Wed, 04 Jun 2025 10:35:48 +0000
with message-id <E1uMlTI-005eJr-39@respighi.debian.org>
and subject line unblock isc-kea
has caused the Debian Bug report #1107225,
regarding pre-approval: isc-kea/2.6.3-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1107225: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107225
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: isc-kea@packages.debian.org, paride@debian.org, carnil@debian.org, athos.ribeiro@canonical.com
Control: affects -1 + src:isc-kea
User: release.debian.org@packages.debian.org
Usertags: unblock

Hello, I'm seeking for pre-approval for uploading isc-kea 2.6.3-1,
replacing 2.6.1-2 currently in testing. I reviewed the upstream
changelog, and versions 2.6.2 and 2.6.3 only add bug fixes and security
fixes, see:

https://gitlab.isc.org/isc-projects/kea/-/blob/Kea-2.6.3/ChangeLog

[ Reason ]

New upstream version 2.6.3 (released on May 28) fixes three CVEs,
tracked in #1106737. As I noted in message 27, the most worrisome issues
seems to be fixed already in Debian, however:

(1) Following upstream may avoid security surprises, as upstream is
where we can expect most security scrutiny.

(2) We can drop some quilt patches due to the fixes now being
implemented upstream.

(3) The upload does fix the issue about the lease files being
world-readable.

Moreover, Salvatore (carnil) mentioned on IRC that more sophisticated
attack vectors exist, see e.g.:

https://www.openwall.com/lists/oss-security/2025/05/28/11

I think Debian should stay where more eyes are looking.

[ Impact ]

Best case: Debian users remain affected by some not-too-severe security
issues, e.g. world-readable lease-files.

Worst case: Debian remains vulnerable to some of the high severity
issues, but in a non-obvious way because we diverge from upstream.

[ Tests ]

The package has non-superficial autopkgtests.

[ Risks ]

Some of the other bugfixes in 2.6.2 and 2.6.3 may cause unexpected
changes in how the package behaves. It is however to be noted that for
people doing stable-to-stable upgrades, the big jump will be from
version 2.2.0 in Bookworm to version 2.6.x in Trixie. What is proposed
here is minor compared to that.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

Given that upstream is the same and the version scheme is the same, it
makes sense here to apply the same policies that are already in place
for ISC Bind.

I'm attaching a full debdiff, but also see this salsa branch, with the
salsa pipeline enabled:

https://salsa.debian.org/paride/isc-kea/-/tree/package-2.6.3

Attachment: isc-kea_2.6.1-2_2.6.3-1.debdiff.xz
Description: application/xz


--- End Message ---
--- Begin Message --- 
Unblocked isc-kea.

--- End Message ---
Reply to: