[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: If some package have serious bug and fixed on unstable and testing release, how long it will be available on stable release?

On Fri 29 Jan 2021 at 09:59:37 (+0800), Robbi Nespu wrote:
> I am curious something (as per title). I not sure whether to ask here
> or on devel mail list.
> 
> Yesterday on OFTC #debian, some guy ask about unfix CVE-2020-25681 to
> CVE-2020-25687 for dnsmasq[1] package on stable release.
> 
> I not using dnsmasq but I curious how and will it be backport to
> stable on cases like this?
> 
> Stable = 2.80-1 (vulnerable)
> Testing = 2.83-1 (fix)
> Unstable = 2.84-1 (fix)
> 
> There is 2 revision gap between stable and testing, do the security
> team will apply the fixes on 2.80-1 or will update the package rev up
> to 2.83-1?
> 
> 1. https://security-tracker.debian.org/tracker/source-package/dnsmasq

https://security-tracker.debian.org/tracker/CVE-2021-3156
is a timely example of how Debian deals with such problems.
Note in particular the line

 stretch (security) 1.8.19p1-2.1+deb9u3 fixed

showing that stretch's version gets a fix, not an upgrade.

Cheers,
David.
Reply to: