Hi Simon, 在 2019-11-04一的 19:02 +0000,Simon McVittie写道: > On Sun, 03 Nov 2019 at 17:51:09 +0100, Salvatore Bonaccorso wrote: > > On Wed, Oct 30, 2019 at 03:04:26PM +0000, Simon McVittie wrote: > > > How do the security team want to handle this - as a stable update, or > > > as a DSA? It isn't a security fix in its own right, but it fixes what > > > is effectively a regression triggered by fixing CVE-2019-14822 in ibus > > > (#940267, DSA-4525-1). > > > > I would lean towards fixing it via a point release, still even if the > > issue was uncovered/triggered by fixing CVE-2019-14822. This allows to > > a have a slighter more exposure as well before the point release. > > OK. Proposed backports here: > https://salsa.debian.org/gnome-team/glib/commits/debian/buster > > I didn't include > d/p/gcredentialsprivate-Document-the-various-private-macros.patch in this > version, but I did include a backport of the unit test from upstream > git master, together with some subsequent fixes to give it better coverage > and portability. > > I'm smoke-testing a similar backport for stretch, which I'll push when > it passes the build/autopkgtest/piuparts pipeline. > > I'll propose these versions to the release team as-is, but I'll also point > out that the test-related patches can be dropped if they prefer. (Including > the test gives me better confidence that everything is working, though!) > > smcv
This looks good to me. Thanks for all the work achieved! If all tests are passing, please consider submitting a proposed version to the release team, emphasizing that it fixes the regression introduced by ibus/1.5.19-4+deb10u1. The 10.2 point release will be on November 16, which is not too far away. -- Cheers, Boyuan Yang
