Your message dated Sat, 11 Jul 2026 10:32:47 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1139556,
regarding trixie-pu: package debusine/0.11.3+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1139556: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139556
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:debusine
User: [email protected]
Usertags: pu
[ Reason ]
As Debusine is still a rapidly evolving project, we expect anyone using
it seriously to want to use the version in trixie-backports. But we do
have a version in stable, and there are known security vulnerabilities
that we have fixed since its release, so here is a roll-up of backported
security patches.
[ Impact ]
These known security issues would continue to be present in trixie.
[ Tests ]
We have full unit test coverage and meaningful integration tests in
autopkgtests.
A test run on Debusine:
https://debusine.debian.net/debian/developers/work-request/829243/
I have not done any more manual verification than that.
[ Risks ]
There is some refactoring in some of these changes, but it's all fairly
straightforward.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Two of the backported MRs are hardening, they aren't known to be
exploitable, but they seem like a good idea to protect the server:
- Enforce permissions on the file body upload endpoint.
https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3126
The file body endpoint requires the files (and their hashes) to
already be configured through an endpoint that did have permissions
checks. So the risk here is minimal.
- Sbuild task: harden against shell injection.
https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3124
The data validation shouldn't let any shell injection get as far as
these un-protected string substitutions. But escaping them is
obviously an improvement.
Then there are two real security issues in the server:
- Restrict artifact relation creation and deletion.
https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3127
Anonymous users were able to create and delete relationships between
artifacts.
- Reject .dsc/.changes checksum filenames with multiple path components.
https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3125
Maliciously constructed source packages could be used to read
arbitrary files from the server.
Then there are also some CI configuration updates that aren't relevant
to the Debian package, just getting us to this point.
--- End Message ---
--- Begin Message ---
Version: 13.6
This update was released as part of 13.6.
--- End Message ---