Hi Noah, On Mon, Sep 22, 2025 at 04:40:54PM -0400, Noah Meyerhans wrote: > Cc [email protected] > > On Mon, Sep 22, 2025 at 09:28:34PM +0100, Roger Lynn wrote: > > > I've published a trixie build based on the just uploaded > > > 1:2.4.1+dfsg1-7. You can install it from my people.debian.org > > > repository. See https://people.debian.org/~noahm/repo/ for details, and > > > use the following sources file: > > > > > > Types: deb deb-src > > > URIs: https://people.debian.org/~noahm/repo > > > Suites: trixie-backports > > > Components: main > > > Signed-By: /etc/apt/noahm.gpg > > > > > > Let me know if this resolves the issue. Similar packages will likely > > > ship in a forthcoming trixie point release. > > > > Shouldn't these be shipped through stable-security? > > > > Possibly. Let's see what the security team thinks. Multiple people > have encountered this issue since the trixie release, and the impact is > a significant breach of privacy. It doesn't impact the default > configuration, but it only takes uncommenting and adjusting one line to > trigger it. > > Since we just released 13.1, there won't be another trixie point release > for a few months, which argues in favor of a DSA IMO.
As the next point release is on 15 November only and given the impact, yes tend to agree to release a DSA for this issue. Can you prepare the trixie-security debdiff? Regards, Salvatore
