Bug#1109084: New debdiff

To: Salvatore Bonaccorso <carnil@debian.org>, 1109084@bugs.debian.org, Bastien Roucaries <rouca@debian.org>
Cc: Yadd <yadd@debian.org>
Subject: Bug#1109084: New debdiff
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Thu, 28 Aug 2025 18:09:02 +0100
Message-id: <[🔎] 369868c2623214725b2d26265998ced64731628b.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 1109084@bugs.debian.org
In-reply-to: <[🔎] aK9qOuAiSb_mrUPP@eldamar.lan>
References: <175221240296.1186671.9854201684688171177.reportbug@yadd-217.xnr.fr> <2886787.PIDvDuAF1L@debian-ei> <175221240296.1186671.9854201684688171177.reportbug@yadd-217.xnr.fr> <[🔎] aK9qOuAiSb_mrUPP@eldamar.lan> <175221240296.1186671.9854201684688171177.reportbug@yadd-217.xnr.fr>

On Wed, 2025-08-27 at 22:27 +0200, Salvatore Bonaccorso wrote:
> Any news here for th upload of apache2 for the bookworm point
> release?
> 
> An update would need to happend soon now, as window is closing
> upcoming weekend for getting things into the next bookworm point
> release.

FWIW, no message to this bug with debdiffs attached has made it to
debian-release, because of the size of the attachemnts. Please do some
combination of compressing them and stripping e.g. autogenerated files
(but explain what you did) in future.

The changelog seems a bit wrong:

+apache2 (2.4.65-1~deb12u1) bookworm; urgency=medium
+
+  * Team upload
+
+  [ Yadd ]
+  * Drop patches included in upstream
+  * New upstream version 2.4.64
+    (Closes: CVE-2025-23048, CVE-2024-42516, CVE-2024-43204, CVE-2024-43394,
+    CVE-2024-47252, CVE-2025-49630, CVE-2025-49812, CVE-2025-53020,
+    CVE-2025-54090)
+  * Unfuzz patches
+
+  [ Bastien Roucariès ]
+  * Add a NEWS entry following CVE-2025-23048
+
+ -- Bastien Roucariès <rouca@debian.org>  Tue, 29 Jul 2025 22:18:46 +0200
+

Why is there no mention of 2.4.65 in the changelog, only 2.4.64? 2.4.65
contains a single change, namely a fix for CVE-2025-54090, but the
changelog claims that fix is part of 2.4.64.

This also seems odd:

diff -Nru apache2-2.4.62/CHANGES apache2-2.4.65/CHANGES
--- apache2-2.4.62/CHANGES      2024-07-11 13:58:12.000000000 +0000
+++ apache2-2.4.65/CHANGES      2025-07-11 01:20:00.000000000 +0000
@@ -1,6 +1,310 @@
                                                          -*- coding: utf-8 -*-
+Changes with Apache 2.4.65
+
+Changes with Apache 2.4.64

The version number used claims that the upload is a simple rebuild of
2.4.65-1, but it actually appears to be the 2.4.62 package with the new
upstream version applied to it. Given the version used, I'd expect
debian/changelog to contain details of the uploads to unstable between
2.4.62-1~deb12u1 and the current upload (and probably not 2.4.62-
1~deb12u1 at all).

Personally, I think this should be 2.4.65-0+deb12u1. In any case, the
lack of any mention of 2.4.65 itself in the changelog and the
misplacing of the related CVE fix seems more of a problem.

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#1109084: New debdiff
  - From: Bastien Roucaries <rouca@debian.org>

References:
- Bug#1109084: New debdiff
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Processed: reassign 1112112 to release.debian.org
Next by Date: Bug#1109084: New debdiff
Previous by thread: Bug#1109084: New debdiff
Next by thread: Bug#1109084: New debdiff
Index(es):
- Date
- Thread