On Wed, Apr 29, 2026 at 07:44:24AM +0200, Troels Arvin @ Ubuntu wrote:
Hello,
Hi,
Athos Ribeiro wrote:
The first step is to assess if other supported Ubuntu versions are
indeed affected.
As mentioned in an update to
https://bugs.launchpad.net/ubuntu/+source/mapserver/+bug/2069291 :
* mapserver for Noble (mapserver 8.0.1-4ubuntu2) is affected by
CVE-2025-59431 and CVE-2026-33721, since the package was generated
2024-03-31.
* mapserver for Questing (Ubuntu 25.10) is affected by CVE-2026-33721,
since the package was generated 2025 2025-05-23.
* mapserver for Resolute (Ubuntu 26) is affected by CVE-2026-33721,
since the package was generated 2026-01-26, and the CVE was
published later in 2026.
They can probably all be fixed by (back-)porting patches or packages
from Debian, but I'm wary about stepping in to help, because I would
not have a system for them to be be used for real work, so the kind of
testing I'd do would be very narrow.
I understand it. Still, we are fixing CVEs with patches that come from
the upstream project. If there are any regressions, users would report
and we could act accordingly.
And frankly, I'm disheartened by the amount of paperwork which seems
to be involved with trying to help out. For example: Is the SRU
process really needed for a package update which is not a new version
(which only adds patches to an existing version?
TBH, since we are fixing CVEs here, these uploads would go through the
security pocket, meaning we do not really need the SRU paperwork. The
reason I suggested filling it was to ensure we had clear understanding
of the issues and good reproducers/verification process to ensure we are
fixing the issue and there were no obvious regressions there.
See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures and
https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue for reference.
I do understand the pain on the process though. But the processes are
indeed needed to ensure our users do not get affected by regressions
when updating their systems.
If you want to drive the process, I would be happy to assist by
providing reviews, guiding you through the processes, and help finding a
sponsor along the way (I am not in the security team). Note that
Universe packages are community maintained. Therefore, this here is
exactly how the package gets to receive a fix.
I did check which upstream patches are needed for each of the CVEs,
which could be used for fixing version 8. I will update the bug with my
findings.
--
Athos Ribeiro
--
Ubuntu-motu mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
