Hi [disclaimer, not an authoritative answer as not part of the stable release managers]
On Sat, Mar 16, 2024 at 09:09:05AM +0100, Petter Reinholdtsen wrote: > > Package: release.debian.org > > The <URL: https://tracker.debian.org/pkg/newlib > package got an open > security problem with malloc and friends in stable and oldstable, see > <URL: https://bugs.debian.org/984446 > for the CVE issue. The package > is orphaned. > > I would like to fix the bug at least in stable, and propose the > following upload. The change is already in the git repo on salsa in the > debian/bookworm branch. The problem is already fixed in unstable and > testing with a new version of the upstream code. The fix to stable is > only the minimal patch to solve the issue. > > I propose to use the version number 3.3.0-2, but am open to better > proposals. The version in testing is 4.4.0.20231231-2. Usually you would choose for this update 3.3.0-1.3+deb12u1, but given 3.3.0-2 was never present in unstable and the version later moved on, this is in theory possible. > > Complete proposed patch is below: > > diff --git a/debian/changelog b/debian/changelog > index b3e3ef851..1c8ddc5cb 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,12 @@ > +newlib (3.3.0-2) bookworm; urgency=medium > + > + * QA upload. > + * Orphan package to reflect status in Unstable. > + * Added mallocr-CVE-2021-3420.patch to solve incorrect overflow > + check in malloc and friends. I would add as well the bug closer for #984446. Regards, Salvatore