Bug#1109084: New debdiff

To: Salvatore Bonaccorso <carnil@debian.org>, 1109084@bugs.debian.org, "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: Yadd <yadd@debian.org>
Subject: Bug#1109084: New debdiff
From: Bastien Roucaries <rouca@debian.org>
Date: Thu, 28 Aug 2025 19:15:31 +0200
Message-id: <[🔎] 6042529.88bMQJbFj6@debian-ei>
Reply-to: Bastien Roucaries <rouca@debian.org>, 1109084@bugs.debian.org
In-reply-to: <[🔎] 369868c2623214725b2d26265998ced64731628b.camel@adam-barratt.org.uk>
References: <175221240296.1186671.9854201684688171177.reportbug@yadd-217.xnr.fr> <[🔎] aK9qOuAiSb_mrUPP@eldamar.lan> <[🔎] 369868c2623214725b2d26265998ced64731628b.camel@adam-barratt.org.uk> <175221240296.1186671.9854201684688171177.reportbug@yadd-217.xnr.fr>

Le jeudi 28 août 2025, 19:09:02 heure d’été d’Europe centrale Adam D. Barratt a écrit :
> On Wed, 2025-08-27 at 22:27 +0200, Salvatore Bonaccorso wrote:
> > Any news here for th upload of apache2 for the bookworm point
> > release?
> > 
> > An update would need to happend soon now, as window is closing
> > upcoming weekend for getting things into the next bookworm point
> > release.
> 
> FWIW, no message to this bug with debdiffs attached has made it to
> debian-release, because of the size of the attachemnts. Please do some
> combination of compressing them and stripping e.g. autogenerated files
> (but explain what you did) in future.
> 
> The changelog seems a bit wrong:
> 
> +apache2 (2.4.65-1~deb12u1) bookworm; urgency=medium
> +
> +  * Team upload
> +
> +  [ Yadd ]
> +  * Drop patches included in upstream
> +  * New upstream version 2.4.64
> +    (Closes: CVE-2025-23048, CVE-2024-42516, CVE-2024-43204, CVE-2024-43394,
> +    CVE-2024-47252, CVE-2025-49630, CVE-2025-49812, CVE-2025-53020,
> +    CVE-2025-54090)
> +  * Unfuzz patches
> +
> +  [ Bastien Roucariès ]
> +  * Add a NEWS entry following CVE-2025-23048
> +
> + -- Bastien Roucariès <rouca@debian.org>  Tue, 29 Jul 2025 22:18:46 +0200
> +
> 
> Why is there no mention of 2.4.65 in the changelog, only 2.4.64? 2.4.65
> contains a single change, namely a fix for CVE-2025-54090, but the
> changelog claims that fix is part of 2.4.64.

I do not understand this, could you rephrase.
I suppose it is " New upstream version 2.4.64" part ?
> 
> This also seems odd:
> 
> diff -Nru apache2-2.4.62/CHANGES apache2-2.4.65/CHANGES
> --- apache2-2.4.62/CHANGES      2024-07-11 13:58:12.000000000 +0000
> +++ apache2-2.4.65/CHANGES      2025-07-11 01:20:00.000000000 +0000
> @@ -1,6 +1,310 @@
>                                                           -*- coding: utf-8 -*-
> +Changes with Apache 2.4.65
> +
> +Changes with Apache 2.4.64
> 
> The version number used claims that the upload is a simple rebuild of
> 2.4.65-1, but it actually appears to be the 2.4.62 package with the new
> upstream version applied to it. Given the version used, I'd expect
> debian/changelog to contain details of the uploads to unstable between
> 2.4.62-1~deb12u1 and the current upload (and probably not 2.4.62-
> 1~deb12u1 at all).
> 
> Personally, I think this should be 2.4.65-0+deb12u1. In any case, the
> lack of any mention of 2.4.65 itself in the changelog and the
> misplacing of the related CVE fix seems more of a problem.

Ok could you drop the PU I just uploaded in this case.
The number could not be 2.4.65-0+deb12u due to bullseye being 2.4.65-1+deb11u1

I can redo the changelog if needed

rouca
> 
> Regards,
> 
> Adam
>

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Bug#1109084: New debdiff
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Bug#1109084: New debdiff
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#1109084: New debdiff
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#1109084: New debdiff
Next by Date: Processed: reassign 1112112 to libnginx-mod-http-fancyindex
Previous by thread: Bug#1109084: New debdiff
Next by thread: Bug#1109084: New debdiff
Index(es):
- Date
- Thread