Hi Vasyl, On Wed, Nov 03, 2021 at 10:05:01PM +0000, Vasyl Gello wrote: > Control: fixed -1 2:19.3+dfsg1-1 > Control: found -1 2:19.1+dfsg2-2~bpo10+1-1 > > Hi Salvatore! > > This bug was fixed in 19.3 upstream, and the sid/bookworm version is not > vulnerable.
Yes you are right, that was an error on my side, checking the source, upstream commit and where the fix was included, thanks for correcting, and apologies for the bad tracking at first. I double checked what happened, and it was defintively that I got confused about the inclusion from the upstream commit and not realizing it is in 19.3 already. > I would like to upload 19.3 to stable-pu or stable-sec but the > approval from SRM is pending for 19.2. > > Is it possible to upload 2:19.3+dfsg1-1 to stable-sec as a whole package? > Or I have to apply the patch for 2:19.1+dfsg2-2 and upload -3? I'm not yet sure the issue would warrant a security update per se, but the question can be answered for both DSA and update via a point release: 2:19.3+dfsg1-1 could not enter directly bullseye. If you do a rebase to the 19.3 upstream then this would be either a "rebuild" approach 2:19.3+dfsg1-1~deb11u1 (if no other changes to packaging to be done) or if you import 19.3 on top of the current bullseye packaging because there were other changes not suitable in meanwhile, then 2:19.3+dfsg1-0+deb11u1 to have it sorting before 2:19.3+dfsg1-1. The general strategy is to cherry-pick commits, but as you know there are some sources with exceptions to that rule for stable updates, firefox, linux, mariadb, php, ffmpeg are such cases, and they have some guarantee from CI and testsuies, promises about stabilities (e.g. no new features, bugfix only branches, etc ...). If you are discussing this already with SRM then this is indeed the way to go to see if they agree on your proposal to follow the 19.x series for kodi for bullseye. Samewise for buster, by cherry-picking the fix, be it for an upcoming point release or a DSA. I cannot answer the question for stretch directly, but I see that LTS will would like to issue a DLA for it. Regards, Salvatore
