On Wed, Jan 10, 2024 at 10:48 PM Xiyue Deng <manp...@gmail.com> wrote:
> > You can check the developer page of zfs-linux[1] on which the "action > needed" section has information about security issues (along with > version info as Gareth posted). The one you mentioned was being tracked > in [2] and the corresponding Debian bug is [3]. My guess is that as > zfs-linux is not in "main" but "contrib", and the issue is marked > "no-dsa" (see [4]), there may be no urgency to provide a stable update. > But you may send a follow up in the tracking bug and ask for > clarification from the maintainers on whether an (old)stable-update is > desired. > Thanks, so it *was* my searching skills that failed me: "The fix will land in bookworm-backports and bullseye-backports-sloppy shortly after 2.1.14-1 migrates to testing, which will take about 2 days hopefully. Fixes to 2.0.3-9+deb11u1 (bullseye) and 2.1.11-1 (bookworm) are planned but will likely take more time." I think the bug is mislabeled as "security" and "important", as this is primarily a severe data corruption bug, but with *possible* security implications. It is far more concerning that one cannot trust that cp actually copies a file, and this is a blocker for installing the ZFS packages in Debian. -- Jan