Bug#1109084: New debdiff
On Thu, 2025-08-28 at 19:15 +0200, Bastien Roucaries wrote:
> Le jeudi 28 août 2025, 19:09:02 heure d’été d’Europe centrale Adam D.
> Barratt a écrit :
>
[...]
> > The changelog seems a bit wrong:
> >
> > +apache2 (2.4.65-1~deb12u1) bookworm; urgency=medium
> > +
> > + * Team upload
> > +
> > + [ Yadd ]
> > + * Drop patches included in upstream
> > + * New upstream version 2.4.64
> > + (Closes: CVE-2025-23048, CVE-2024-42516, CVE-2024-43204, CVE-
> > 2024-43394,
> > + CVE-2024-47252, CVE-2025-49630, CVE-2025-49812, CVE-2025-
> > 53020,
> > + CVE-2025-54090)
> > + * Unfuzz patches
> > +
> > + [ Bastien Roucariès ]
> > + * Add a NEWS entry following CVE-2025-23048
> > +
> > + -- Bastien Roucariès <rouca@debian.org> Tue, 29 Jul 2025
> > 22:18:46 +0200
> > +
> >
> > Why is there no mention of 2.4.65 in the changelog, only 2.4.64?
> > 2.4.65
> > contains a single change, namely a fix for CVE-2025-54090, but the
> > changelog claims that fix is part of 2.4.64.
>
> I do not understand this, could you rephrase.
> I suppose it is " New upstream version 2.4.64" part ?
>
Mentioning 2.4.64 is fine. However, this package *also* includes
changes from 2.4.65, which is not mentioned. It also claims that the
CVE fix that was the reason for 2.4.65 being released was already part
of 2.4.64.
So eg.
+ * New upstream version 2.4.64
+ (Closes: CVE-2025-23048, CVE-2024-42516, CVE-2024-43204, CVE-2024-43394,
+ CVE-2024-47252, CVE-2025-49630, CVE-2025-49812, CVE-2025-53020)
+ * New upstream version 2.4.65
+ (Closes: CVE-2025-54090)
would seem more accurate.
[...]
> The number could not be 2.4.65-0+deb12u due to bullseye being
> 2.4.65-1+deb11u1
Well, that suggests that the bullseye update has the wrong version
number as well, but it's too late to fix that. :-(
Regards,
Adam
Reply to: