Hallo, * Andreas Beckmann [Mon, Jan 13 2020, 11:20:25AM]: > Package: release.debian.org > Severity: normal > Tags: buster > User: release.debian....@packages.debian.org > Usertags: pu > > Hi, > > let's make apt-cacher-ng in stable usable for sid and bullseye, again, > by increasing some decompression buffers. #942634 > > This is a rebuild of the package in testing and already uploaded.
"already uploaded" is like "shoot first, ask questions later", so I am not amused. I was going to request a stable update anyway in about two days from now; the plan was to create buster-pu ticket for a backport of CVE-2020-5202 fix AND also include a backport of the length fix. What you created anyway now. Well then, I suggest to wait another day or two and just reuse your ticket. CVE details: https://salsa.debian.org/blade/apt-cacher-ng/commit/3b91874b0c099b0ded1a94f1784fe1265082efbc https://metadata.ftp-master.debian.org/changelogs//main/a/apt-cacher-ng/apt-cacher-ng_3.3.1-1_changelog At release team, please advise: could I also introduce the little fix of #948259? It's really peanuts but would make ArchLinux people happy. See https://salsa.debian.org/blade/apt-cacher-ng/commit/a685db7aee472dd2c85f430aa345b28e22a60d9e for details. Also, since I am the upstream author: shall I make a real upstream release for that? (you can say no because of any process requirements the release team has in mind but that would not make much sense since I will create that upstream release version anyway, ending up in an official 3.2.1 version and a Debian-specific 3.2-3 revision with effectively the same code) Best regards, Eduard.