Hi Salvatore, On Wed, Feb 03, 2021 at 09:39:25PM +0100, Salvatore Bonaccorso wrote: > HI Benjamin, > > On Mon, Jan 18, 2021 at 07:19:14PM -0800, Benjamin Kaduk wrote: > > On Mon, Jan 18, 2021 at 06:04:39PM +0000, Jeremy Stanley wrote: > > > Thanks for pulling this into unstable and testing! Is there any work > > > in progress to fix it in stable as well? I took a quick peek in > > > Salsa and didn't see any merge requests or an obvious branch for > > > Buster's 1.8.2 (just the debian/1.8.2-1 tag). > > > > It is a clear candidate to fix in stable, though the only concrete steps > > I've been able to take so far are to confirm with the security team that it > > is not a candidate for being fixed via a DSA. > > > > The actual work of backporting the patches should be ~trivial, so the > > process work of engaging with the release team will be the dominating > > factor. > > Do you still have this on your radar? While as discussed this is not a > DSA candidate a fix can be released out of order from a point release > via the stable-updates mechanism, and this would be defintively a > canddiate for it.
Yes, it's still on my radar but process has been slower than expected. In order to do testing in a real buster environment I had to re-create my VM infrastructure since I have gotten a new machine since I last did so. > The procedure would be the same as proposing the fix to be rleased in > a point release, but mentioning to the SRM that the fix actually needs > to go out sooner (should be clear from context here), and pushed via a > SUA. > > https://lists.debian.org/debian-devel-announce/2011/03/msg00010.html > https://lists.debian.org/debian-stable-announce/ > https://wiki.debian.org/StableUpdates > > I think this becomes now even more urgent as users will roll out the > linux update released as DSA 4843-1 or latest at the 10.8 point > release on weekend and make the issue more urgent. I've put the needed packaging changes into the 'buster' branch at https://salsa.debian.org/debian/openafs/ and know of a few sites that are running packages using that code in production. I've been able to do local testing of the client-side functionality as well, and just need to test the server functionality before I file the bug with the release team. Thanks for checking in and the pointers for the process to follow! -Ben