On Fri, Dec 20, 2019 at 10:24:20PM +0100, Salvatore Bonaccorso wrote: > > And released as DSA 4591-1. Note: The patch was not upstream commited > at point of writing this. And I see Mike did as well release for LTS. > I saw that Mike did updates for jessie (LTS) and wheezy (ELTS).
> > > unstable would need an update as well yet. > > > > > Of course. > > Ideally this happen soon, but the RC bug is enough to mark the > 'stable' -> 'testing' regression. Just let me know if any of you can > do it or if you would prefer a NMU with same patch (both approaches > works for me). > I have made an upload to unstable of version 2.1.27+dfsg-2 with the patch that fixes the CVE. > > > Can you later import then the changes in the packaging repository in > > > the appropriate branches? > > > > > I could manage that in the coming days. Unless Ondrej or someone else > > gets to it first. > > Thanks! > As a summary, here is the state of cyrus-sasl2 in the various release and the associated Git branches in Salsa: sid: up to date on master branch, Debian version 2.1.27+dfsg-2 has been uploaded bullseye: waiting on transition of package from sid, no associated branch in Salsa buster: new branch, master-buster*, contains new commit representing Debian version 2.1.27+dfsg-1+deb10u1 stretch: new branch, master-stretch*, contains two (2) new commits representing Debian versions 2.1.27~101-g0780600+dfsg-3 (NMU in 2017 which as not recorded follwing 2.1.27~101-g0780600+dfsg-2) and Debian version 2.1.27~101-g0780600+dfsg-3+deb9u1 with the patch for this CVE jessie: history has diverged; there is already an old commit and tag for Debian version 2.1.26.dfsg1-13+deb8u2 from 2016 which collides with Mike's recent 2.1.26.dfsg1-13+deb8u2 jessie update, so I have not done anything with this wheezy: up to date on existing master-wheezy branch based on Mike's 2.1.25.dfsg1-6+deb7u2 ELTS updates * As far as the new master-buster and master-stretch branches, I only made those branches to record the changes which have already been uploaded. In particular, I did not update debian/gbp.conf to note the new branch names; such a change will be required if we decide to make further revisions along either of the new branches and then build from the Git repository. I have pushed tags for each of the above versions as well (except the jessie version, as noted). I include all of this information so that the cyrus-sasl2 in particular is made aware of all the changes I have pushed. Regards, -Roberto -- Roberto C. Sánchez
