On Thu, 2025-08-28 at 19:15 +0200, Bastien Roucaries wrote: > Le jeudi 28 août 2025, 19:09:02 heure d’été d’Europe centrale Adam D. > Barratt a écrit : > [...] > > The changelog seems a bit wrong: > > > > +apache2 (2.4.65-1~deb12u1) bookworm; urgency=medium > > + > > + * Team upload > > + > > + [ Yadd ] > > + * Drop patches included in upstream > > + * New upstream version 2.4.64 > > + (Closes: CVE-2025-23048, CVE-2024-42516, CVE-2024-43204, CVE- > > 2024-43394, > > + CVE-2024-47252, CVE-2025-49630, CVE-2025-49812, CVE-2025- > > 53020, > > + CVE-2025-54090) > > + * Unfuzz patches > > + > > + [ Bastien Roucariès ] > > + * Add a NEWS entry following CVE-2025-23048 > > + > > + -- Bastien Roucariès <[email protected]> Tue, 29 Jul 2025 > > 22:18:46 +0200 > > + > > > > Why is there no mention of 2.4.65 in the changelog, only 2.4.64? > > 2.4.65 > > contains a single change, namely a fix for CVE-2025-54090, but the > > changelog claims that fix is part of 2.4.64. > > I do not understand this, could you rephrase. > I suppose it is " New upstream version 2.4.64" part ? >
Mentioning 2.4.64 is fine. However, this package *also* includes changes from 2.4.65, which is not mentioned. It also claims that the CVE fix that was the reason for 2.4.65 being released was already part of 2.4.64. So eg. + * New upstream version 2.4.64 + (Closes: CVE-2025-23048, CVE-2024-42516, CVE-2024-43204, CVE-2024-43394, + CVE-2024-47252, CVE-2025-49630, CVE-2025-49812, CVE-2025-53020) + * New upstream version 2.4.65 + (Closes: CVE-2025-54090) would seem more accurate. [...] > The number could not be 2.4.65-0+deb12u due to bullseye being > 2.4.65-1+deb11u1 Well, that suggests that the bullseye update has the wrong version number as well, but it's too late to fix that. :-( Regards, Adam
