Control: tags -1 + moreinfo Hi,
On Tue, Jul 01, 2025 at 12:26:46AM +0200, Daniel Leidert wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > X-Debbugs-Cc: commons-...@packages.debian.org > Control: affects -1 + src:commons-vfs > User: release.debian....@packages.debian.org > Usertags: pu > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > [ Reason ] > > CVE-2025-27553 has been fixed in Sid/Trixie and in Bullseye for some time now. > But users of Bookworm are still vulnerable. This upload attempts to close that > gap and to ensure a clean upgrade path for LTS users to Bookworm. > > [ Impact ] > > If the upload isn't approved, Bookworm users will continue to be vulnerable, > and LTS users that upgrade to Bookworm will become vulnerable. > > [ Tests ] > > The tests are run during build and don't show any issues. The patch was also > tested by the author and package maintainer, and there haven't been any > reports > about issues by users of Sid/Trixie or Bullseye. > > [ Risks ] > > The usual risks include regressions. But the patch has been tested and > successfully deployed to Sid/Trixie and Bullseye without any reported issues. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > > The patch changes the normalization process, taking into account URL-encoded > characters. Markus Koschany is taking care of commons-vfs for a DSA, so I'm looping him in to see if he is fine with you doing the update via bookworm-pu. Markus, what is your take on it? Regards, Salvatore
