On 10/5/21 8:05 PM, Max Kellermann wrote: > On 2021/10/05 19:15, Sebastiaan Couwenberg <sebas...@xs4all.nl> wrote: >> tags 995785 upstream >> forwarded 995785 https://github.com/MapServer/MapServer/pull/6418 >> >> You should get CVEs for these security issues, then they will be tracked >> more appropriately than with this bugreport. > > Huh, what a strange justification to close a bug report about security > vulnerabilities. > > I'm not interested in tracking this issue - it's already tracked > upstream, and my PR has already been approved. I wanted to help the > Debian project to ship a vulnerabiity fix in its version-frozen stable > releases. A regular new upstream release will not land in Bullseye, > and without me telling you, it is unlikely that Debian users will ever > receive those fixes. > > The last time I fixed vulnerabilities in MapServer (May 4th), the > fixes didn't land in Debian either. Debian Bullseye shipped with a > vulnerable MapServer version. MapServer 7.6.4 was released on July > 12th with my vulnerability fixes, but Debian Bullseye was released a > month later with the known-vulnerable version 7.6.2.
Security issues in packages are tracked via CVEs in: https://security-tracker.debian.org/tracker/ Only high severity issues are worth our time to fix in stable. If you don't follow proper procedure and get CVEs for your security issues, they won't get any severity assigned and hence won't get fixed in stable. Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
