On Fri 29 Jan 2021 at 09:59:37 (+0800), Robbi Nespu wrote: > I am curious something (as per title). I not sure whether to ask here > or on devel mail list. > > Yesterday on OFTC #debian, some guy ask about unfix CVE-2020-25681 to > CVE-2020-25687 for dnsmasq[1] package on stable release. > > I not using dnsmasq but I curious how and will it be backport to > stable on cases like this? > > Stable = 2.80-1 (vulnerable) > Testing = 2.83-1 (fix) > Unstable = 2.84-1 (fix) > > There is 2 revision gap between stable and testing, do the security > team will apply the fixes on 2.80-1 or will update the package rev up > to 2.83-1? > > 1. https://security-tracker.debian.org/tracker/source-package/dnsmasq
https://security-tracker.debian.org/tracker/CVE-2021-3156 is a timely example of how Debian deals with such problems. Note in particular the line stretch (security) 1.8.19p1-2.1+deb9u3 fixed showing that stretch's version gets a fix, not an upgrade. Cheers, David.