Bug#1108548: bookworm-pu: package commons-vfs/2.1-4+deb12u1
Control: tags -1 + moreinfo
Hi,
On Tue, Jul 01, 2025 at 12:26:46AM +0200, Daniel Leidert wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> X-Debbugs-Cc: commons-vfs@packages.debian.org
> Control: affects -1 + src:commons-vfs
> User: release.debian.org@packages.debian.org
> Usertags: pu
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> [ Reason ]
>
> CVE-2025-27553 has been fixed in Sid/Trixie and in Bullseye for some time now.
> But users of Bookworm are still vulnerable. This upload attempts to close that
> gap and to ensure a clean upgrade path for LTS users to Bookworm.
>
> [ Impact ]
>
> If the upload isn't approved, Bookworm users will continue to be vulnerable,
> and LTS users that upgrade to Bookworm will become vulnerable.
>
> [ Tests ]
>
> The tests are run during build and don't show any issues. The patch was also
> tested by the author and package maintainer, and there haven't been any reports
> about issues by users of Sid/Trixie or Bullseye.
>
> [ Risks ]
>
> The usual risks include regressions. But the patch has been tested and
> successfully deployed to Sid/Trixie and Bullseye without any reported issues.
>
> [ Checklist ]
> [x] *all* changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in (old)stable
> [x] the issue is verified as fixed in unstable
>
> [ Changes ]
>
> The patch changes the normalization process, taking into account URL-encoded
> characters.
Markus Koschany is taking care of commons-vfs for a DSA, so I'm
looping him in to see if he is fine with you doing the update via
bookworm-pu.
Markus, what is your take on it?
Regards,
Salvatore
Reply to: