Hi Simon, and all others, First: thanks for all your work and energy putted in into resolving this issue.
On Wed, Oct 30, 2019 at 03:04:26PM +0000, Simon McVittie wrote: > On Wed, 30 Oct 2019 at 15:45:19 +0100, Gunnar Hjalmarsson wrote: > > Seeing that you included quite a few patches in this update, I have a > > question as regards the stable releases. Are the commits included in > > <https://gitlab.gnome.org/GNOME/glib/merge_requests/1176> a standalone set > > of commits which would be sufficient for patching the stable releases in > > order to fix the IBus/Qt issue? I'm asking with my Ubuntu glasses on at > > first hand (in Ubuntu 16.04 we have glib2.0 2.48...), but the question does > > reasonably apply to Debian too. > > I was hoping to let glib2.0 get some testing in unstable before > backporting anything. A build of GLib with amd64, i386, build-time tests, > autopkgtest and piuparts takes about an hour, and I have to do my actual > job as well, so I can't iterate on this particularly rapidly. > > How do the security team want to handle this - as a stable update, or > as a DSA? It isn't a security fix in its own right, but it fixes what > is effectively a regression triggered by fixing CVE-2019-14822 in ibus > (#940267, DSA-4525-1). [...] I would lean towards fixing it via a point release, still even if the issue was uncovered/triggered by fixing CVE-2019-14822. This allows to a have a slighter more exposure as well before the point release. Would you agree? And have you the resources to prepare fixes? Regards, Salvatore
