Hi Moritz, Moritz Mühlenhoff wrote: > > Security Team: Do you think the fix for CVE-2021-38165 should get a > > DSA? Or do you think it's not important enough and we should target a > > minor stable update for it? > > This breaks a pretty fundamental security assumption for a browser,
Ack. > so we should fix it via -security, even though lynx is a fringe > browser. Good. Anything which gets the fix into bullseye (and preferably also buster) rather sooner than later is fine for me. > bullseye-security is operational, so we can do both at the same time > so that bullseye will be fixed from day one. That'd be great, thanks! Feel free to base the security upload upon 2.9.0dev.6-3 which I uploaded just recently. From my point of view nothing except the first and last line of the debian/changelog entry needs to be changed for bullseye-security. I can also look into how well the patch applies to buster's version of Lynx, but it might take until Monday. Regards, Axel -- ,''`. | Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
signature.asc
Description: PGP signature