Your message dated Sat, 14 Mar 2026 11:48:35 +0000
with message-id <[email protected]>
and subject line Released with 13.4
has caused the Debian Bug report #1129927,
regarding trixie-pu: package dpkg/1.22.22
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1129927: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129927
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie security
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:dpkg
User: [email protected]
Usertags: pu
Hi!
[ Reason ]
This update includes a CVE fix for a DoS and various fixes for crashes,
unhelpful error handling, and a fix for insufficient dependency
generation (on at least i386).
For the CVE the Security Team didn't deem this important enough, and
considered that it would be better to handle via a stable update.
[ Impact ]
Crashes, hangs, dependency issues, or very confusing error output.
[ Tests ]
I've been testing the CVE fix for some time now locally over daily
upgrade with the version in unstable, for trixie it no longer makes
dpkg-deb busy-loop with the two test .deb archives that are included
in the bug report.
For the rest, the code has been in unstable and forky for some time
now, and I re-tested against trixie:
- the «dpkg-query -S ""» to no longer segfault,
- the verify fix with no keyring with «dpkg-source -x *.dsc» while
forcing removal of sqv, and installing either sqop or gpgv,
- the test above with dpkg-source and gpgv would not fail due to the
missing import,
I did not have time to re-test the "Version References" symbols fix,
but will try to do that tomorrow.
Also, all usual unit and functional tests done as part of the automated
release process (driven by build-aux/gen-release), passed.
[ Risks ]
The changes in general are not big, and/or they have seen extensive
test coverage in unstable/forky. There were only a couple of code
adaptations required during the cherry-picks that were not involved
at all.
[ Checklist ]
[√] *all* changes are documented in the d/changelog
[√] I reviewed all changes and I approve them
[√] attach debdiff against the package in (old)stable
[√] the issue is verified as fixed in unstable
[ Changes ]
The detailed explanation of all the changes is included in the ChangeLog
in the debdiff, perhaps except for the segfault fix, which was due to
not accessing the varbuf via varbuf_str(), otherwise the other code
filling up the varbuf does not end up nul-terminating it.
[ Other info ]
As usual, I've included the full debdiff, and the following can be
used to filter all autogenerated stuff from it:
,---
xzcat dpkg-1.22.21-1.22.22.debdiff.xz \
| filterdiff -x '*.po' -x '*.pot' -x '*.in' -x '*/man/*/*.pod' \
-x '*/configure' -x '*/build-aux/*' -x '*/src/at/*' \
| less
`---
Thanks,
Guillem
dpkg-1.22.21-1.22.22.debdiff.xz
Description: application/xz
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.4
This update has been released as part of Debian 13.4.
--- End Message ---
