On Tue, Apr 28, 2026 at 04:22:21PM +0200, Troels Arvin wrote:
Hello,
Athos Ribeiro wrote:
Since you are adding a delta, that string needs to change to include
"ubuntu" in it. Please, read the documentation I provided in my previous
reply.
I have read to documentation. But I don't think it's obvious what
should happen here.
The previous Ubuntu version is 7.6.4-2build2.
There has never been a version 7.6.4 in ordinary Debian release,
except "sid" had a 7.6.4 at some point, but it's not clear to me, if
Ubuntu's package is based on that.
This is based on Debian's 7.6.4-2.
So the package I'm proposing is a continuation of an Ubuntu package,
with additional patches inspired by a Debian package with version
mapserver_7.6.2-1+deb11u2 (note the slightly older base version
7.6.2).
If the resulting name is not "7.6.4-2build2.1" as I propose, is it
then "7.6.4-2build2-ubuntu1", or something else?
7.6.4-2ubuntu0.1
Newer Ubuntus have another Mapserver generation (8 instead of 7),
so I have not tried to address that.
If the CVE is present in those, they MUST be fiexed before jammy.
I have no installation were I can properly test it on non-Jammy
Ubuntus. Wouldn't it be better to at least get the security bugs fixed
for Jammy, rather than having it fixed nowhere? (And then maybe
someone else who uses Mapserver 8 with later Ubuntu generation(s) can
contribute fixes there.)
The first step is to assess if other supported Ubuntu versions are
indeed affected. If they are, we must fix them there before fixing it in
Jammy. The reson underlying this process is the upgrade path: a user
should not get a bug fixed just to upgrade his system to a newer Ubuntu
release to have the bug back into their system.
Regarding you having no installation to properly test it: it is a common
process to use chroots to build images (see sbuild) in any supported
release, and to use LXD to run containers (or VMs) to perform tests when
needed. But the first step would really be to check if those versions
in noble, resolute, and stonking are indeed affected by the CVEs.
You should also attach the debdiff to that bug.
OK, I can do that.
Thanks.
Are there any sensitive or embargoed information in that bug? If the
CVEs are public now, I suppose the bug does not need to be private.
Good point. I've made it public:
https://bugs.launchpad.net/ubuntu/+source/mapserver/+bug/2069291
Thanks.
--
Athos Ribeiro
--
Ubuntu-motu mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
