Hi Moritz, Moritz Mühlenhoff wrote: > > Security Team: Do you think the fix for CVE-2021-38165 should get a > > DSA? Or do you think it's not important enough and we should target a > > minor stable update for it? > > This breaks a pretty fundamental security assumption for a browser,
Ack.
> so we should fix it via -security, even though lynx is a fringe
> browser.
Good. Anything which gets the fix into bullseye (and preferably also
buster) rather sooner than later is fine for me.
> bullseye-security is operational, so we can do both at the same time
> so that bullseye will be fixed from day one.
That'd be great, thanks!
Feel free to base the security upload upon 2.9.0dev.6-3 which I
uploaded just recently. From my point of view nothing except the first
and last line of the debian/changelog entry needs to be changed for
bullseye-security.
I can also look into how well the patch applies to buster's version of
Lynx, but it might take until Monday.
Regards, Axel
--
,''`. | Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
signature.asc
Description: PGP signature
