Axel, On Sun, Aug 08, 2021 at 12:14:16PM +0200, Axel Beckert wrote: > Hi Moritz, > > Moritz Mühlenhoff wrote: > > > Security Team: Do you think the fix for CVE-2021-38165 should get a > > > DSA? Or do you think it's not important enough and we should target a > > > minor stable update for it? > > > > This breaks a pretty fundamental security assumption for a browser, > > Ack. > > > so we should fix it via -security, even though lynx is a fringe > > browser. > > Good. Anything which gets the fix into bullseye (and preferably also > buster) rather sooner than later is fine for me. > > > bullseye-security is operational, so we can do both at the same time > > so that bullseye will be fixed from day one. > > That'd be great, thanks! > > Feel free to base the security upload upon 2.9.0dev.6-3 which I > uploaded just recently. From my point of view nothing except the first > and last line of the debian/changelog entry needs to be changed for > bullseye-security.
Do I understand correctly you currently have not capactity to prepare that upload? If so I can happily chime in, but if you as maintainr will that will be perfectly preferable. If so: I suggest: just do a ~deb11u1 on top of the current unstable upload, with changelog entry "Rebuild for bullseye-security", then pass -v2.9.0dev.6-2 to dpkg-genchanges invocation, to include all changelog entries from 2.9.0dev.6-3 up to 2.9.0dev.6-3~deb11u1 in to changes file. Make sure to build with -sa, as lynx/2.9.0dev.6 is new for dak on security-master. > > I can also look into how well the patch applies to buster's version of > Lynx, but it might take until Monday. Thank you! Salvatore
