Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: 991...@bugs.debian.org
Dear release team, This request is for discuss the present situation with the telegram-desktop package. On July 16, under CVE-2021-36769 were disclosed some weakness of the MtProto implementation in Telegram Desktop before 2.8.8. So the version currently in testing, 2.6.1, has the security issue. I examined commits from an upstream Git repository which potentially may fix the issue, and I found they do not apply cleanly on top of 2.6.1 version. Even if they have applied, or if I have solved merge conflicts with them, I could not guarantee the efficiency in light of the issue. So I see two possible options here: 1. Update the package to the latest upstream release. That is what this request is about. The release brings a lot of new code and many new features which we will not be able to test carefully on tight deadlines before bullseye. We will need to update satellite packages also, libtgowt with fresh upstream commit and libtgvoip with no-source-change rebuild. Approximate size of debdiffes is about 20MB. You can currently view the difference in Git on salsa.d.o. https://salsa.debian.org/debian/telegram-desktop/-/merge_requests/37 https://salsa.debian.org/debian/libtgowt/-/merge_requests/6 This type of issue is that it is better to have the fix now than not to fix at all. If you permit the update, I will proceed and properly supplement this bug report with complete diffes. But on the other hand... 2. We can do nothing at the moment. And fix the issue later for bookworm. And then backport the update to bullseye and buster. Telegram team assured me the issue is not too risky in practice and it has only theoretical interest. [ Reason ] Fix security issue in implementation of underlying Telegram protocol, MtProto. CVE-2021-36769. [ Tests ] Not fully, only manual smoke-test has been done. The app still starts. [ Risks ] Complex code in leaf and related packages. The libtgowt and the libtgvoip packages carry static libraries. Their update does not affect anything immediately. We also need to rebuild the telegram-desktop package. [ Checklist ] [x] all changes are documented in the d/changelog [ ] I reviewed all changes and I approve them [ ] attach debdiff against the package in testing unblock telegram-desktop/2.8.10+ds-1 unblock libtgowt/0~git20210627.91d836d+dfsg-1 unblock libtgvoip/2.4.4+git20210101.13a5fcb+ds-3
signature.asc
Description: This is a digitally signed message part
