On Mon, May 03, 2021 at 07:58:06AM +0200, Tobias Frost <t...@coldtobi.de> wrote: > I just gave upstream a pointer to the ircii code that fixes this CVE. Maybe > they have tested it?
I reached out via email yesterday and I'm awaiting a response. > (MIA Team hat partly on) That sounds a bit like the package should be > orphaned or some RFH/RFA bug being filed? Or join efforts in some team? > As said, you can use mentors.debian.net for uploading. The only hard > point I can't give you advice is the time issue… Well, there was a time issue and a potential employer issue (and I can't expect advice from you on either :). I've spoken with my employer and confirmed that there actually isn't an issue there. > But maybe you'll find a bit of time working to update your package; > But note, we are currently frozen, uploads to unstable should be > minimal and targeted fixes only… Understood; I've updated the 2.2.3-1 package from the PR and from a small patch upstream made to that, and, as noted above, just want to make sure it's tested before bugging mentors.debian.net for assistance uploading. (I'm still unclear on if the package version should be updated to indicate that this is a security fix, but that's obviously a very small detail overall that can be dealt with at any point before upload.) On Thu, May 13, 2021 at 02:10:05PM +0300, Adrian Bunk <b...@debian.org> wrote: > https://security-tracker.debian.org/tracker/CVE-2021-29376 > [buster] - scrollz <no-dsa> (Minor issue) > > So the correct instructions are in this case > https://www.debian.org/doc/manuals/developers-reference/pkgs.html#special-case-uploads-to-the-stable-and-oldstable-distributions I can build/test on a stable and an oldstable system, but per those instructions, I'll first focus on getting a 2.2.3-2 uploaded to unstable that contains just the fix that would then go into 2.2.3-1+deb10u1 (and potentially 2.2.3-1+deb9u1, if that even makes sense timing-wise anymore). Given the existence of a CVE and a security-tracker entry, what is the appropriate urgency for these uploads? (I'm happy to reach out to the team if that's more appropriate.) -- Mike Markley <m...@markley.org>
