On Thu, 24 Dec 2020 06:31:31 +0100 Salvatore Bonaccorso <car...@debian.org> wrote:
> Hi Alexander, > > On Tue, Dec 22, 2020 at 07:57:15PM +0300, Alexander Gerasiov wrote: > > On Sun, 20 Dec 2020 11:50:42 +0200 > > Adrian Bunk <b...@debian.org> wrote: > > > this is a regression in 1.2.1+dfsg-2 that is currently in both > > > buster-security (which was done on top of 1.2.1+dfsg-2 that > > > introduced the regression, not on top of 1.2.1+dfsg-1 in buster) > > > and in unstable/testing (which currently misses the CVE fixes). > > > > > > It would be good if you could make an upload to unstable with this > > > bug fixed on top of 1.2.1+dfsg-2+deb10u1, and then backport that > > > change to buster. > > > > > > Please coordinate with the security team whether this would > > > warrant a regression update to the DSA or should be done through > > > the next point release. > > > > Hi, Team. > > > > Does anyone mind against uploading fix to stable-proposed-update? > > The fix is here: > > https://salsa.debian.org/debian/minidlna/-/commits/buster-security/ > > Or should it go to buster-security? > > Fixing it via buster-proposed-updates in the next point release works. > > As regression from the last DSA, given we all have not spotted it was > based on the testing version, I think we can as well release it via a > regression update via buster-security. > > This will be only an issue if someone decides to purge the package in > stable. > > The other issue: As the update was based on -2 rather than -1 it > contains several more (packaging) changes as well and wonder if > current stable users might have any issue with those (I suspect not > because systemd service addition is probably ok, the move of > logdiretory might be though suprising in a stable update and the fix > for #941410 is probably just a benefit). > > Do you anticipate any problems which would arise from this that we did > release it on top of the "wrong" version? You get it absolutely right. The only notable changes in -2 are: 1. systemd unit 2. logdir location Others are packaging improvements and bugfixes we tested in testing for months, so I don't expect any regression here. So I have two open questions: 1. which version to upload? (I could upload version equal to 1.2.1+dfsg-1 + CVE fixes on top (rollback all accident changes). Or I can only fix #975372 in current buster-security version as I did in testing.). 2. where to upload? (buster-security of buster-proposed-updates) Please help me with the decision =) -- Best regards, Alexander Gerasiov Contacts: e-mail: a...@gerasiov.net WWW: https://gerasiov.net TG/Skype: gerasiov PGP fingerprint: 04B5 9D90 DF7C C2AB CD49 BAEA CA87 E9E8 2AAC 33F1
