HI Benjamin, On Mon, Jan 18, 2021 at 07:19:14PM -0800, Benjamin Kaduk wrote: > On Mon, Jan 18, 2021 at 06:04:39PM +0000, Jeremy Stanley wrote: > > Thanks for pulling this into unstable and testing! Is there any work > > in progress to fix it in stable as well? I took a quick peek in > > Salsa and didn't see any merge requests or an obvious branch for > > Buster's 1.8.2 (just the debian/1.8.2-1 tag). > > It is a clear candidate to fix in stable, though the only concrete steps > I've been able to take so far are to confirm with the security team that it > is not a candidate for being fixed via a DSA. > > The actual work of backporting the patches should be ~trivial, so the > process work of engaging with the release team will be the dominating > factor.
Do you still have this on your radar? While as discussed this is not a DSA candidate a fix can be released out of order from a point release via the stable-updates mechanism, and this would be defintively a canddiate for it. The procedure would be the same as proposing the fix to be rleased in a point release, but mentioning to the SRM that the fix actually needs to go out sooner (should be clear from context here), and pushed via a SUA. https://lists.debian.org/debian-devel-announce/2011/03/msg00010.html https://lists.debian.org/debian-stable-announce/ https://wiki.debian.org/StableUpdates I think this becomes now even more urgent as users will roll out the linux update released as DSA 4843-1 or latest at the 10.8 point release on weekend and make the issue more urgent. Hope this helps! Regards, Salvatore
