Hi Noah, On Wed, Sep 24, 2025 at 09:29:27AM -0400, Noah Meyerhans wrote: > On Tue, Sep 23, 2025 at 10:53:08PM +0200, Salvatore Bonaccorso wrote: > > > > > I've published a trixie build based on the just uploaded > > > > > 1:2.4.1+dfsg1-7. You can install it from my people.debian.org > > > > > repository. See https://people.debian.org/~noahm/repo/ for details, > > > > > and > > > > > use the following sources file: > > > > > > > > > > Types: deb deb-src > > > > > URIs: https://people.debian.org/~noahm/repo > > > > > Suites: trixie-backports > > > > > Components: main > > > > > Signed-By: /etc/apt/noahm.gpg > > > > > > > > > > Let me know if this resolves the issue. Similar packages will likely > > > > > ship in a forthcoming trixie point release. > > > > > > > > Shouldn't these be shipped through stable-security? > > > > > > > > > > Possibly. Let's see what the security team thinks. Multiple people > > > have encountered this issue since the trixie release, and the impact is > > > a significant breach of privacy. It doesn't impact the default > > > configuration, but it only takes uncommenting and adjusting one line to > > > trigger it. > > > > > > Since we just released 13.1, there won't be another trixie point release > > > for a few months, which argues in favor of a DSA IMO. > > > > As the next point release is on 15 November only and given the impact, > > yes tend to agree to release a DSA for this issue. Can you prepare the > > trixie-security debdiff? > > See attached. The diffstat is > changelog | 8 ++ > patches/auth__Use_AUTH_CACHE_KEY_USER_instead_of_per-database.patch | 124 > ++++++++++++++++++++++++++++++++++++++++++ > patches/series | 1 > 3 files changed, 133 insertions(+) > > Note that there's no CVE referenced in the changelog, as we don't seem > to have one for this issue yet.
I will try to have a look at this over the weekend and come back to you. Regards, Salvatore
