Hi,
On 07/05/2025 14:56, Roberto C. Sánchez wrote:
On Wed, May 07, 2025 at 02:46:04PM +0200, Moritz Schlarb wrote:
On Wed, 2025-05-07 at 10:59 +0000, Moritz Mühlenhoff wrote:
So RedHat has provided more information and we know it's fixed by
https://github.com/OpenIDC/mod_auth_openidc/commit/29ea79dea97cdab1b0d150af2c9a50a442e7216e
and as you are already aware as well upstream has created
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-x7cf-8wgv-5j86
Let's also fix that one via a DSA. Moritz, could you please prepare an update
for
bookworm-security?
I have also prepared a fixed version for Bullseye (see attached debdiff), but
now I have a workflow question:
The package/issue is not yet claimed in dla-needed.txt and [1] insists that
this should be done before all else by front desk. If that is true, somebody
please do so, otherwise, I assume I could then go ahead with uploading the
package and claiming and issuing the DLA, right?
Ordinarily this is the case. The purpose is to ensure that we minimize
the possibility of unnecessary and/or duplicate work. However, since you
have already preapred the update and are ready to upload and issue the
DLA, there isn't much of a need to first list the package in
dla-needed.txt.
So, in this case, don't worry about having the package show up in
dla-needed.txt first. You are free to upload and issue the DLA.
Since the DLA is not out yet, I added an entry in dla-needed.txt.
Cheers!
Sylvain Beucler
(FD this week)
