Security (team) bits: Your / security team's call as to patching for Debian, notably stable and oldstable (and sid too).
I note may be a while before upstream gets around to it: https://uwsgi-docs.readthedocs.io/en/latest/ Note: The project is in maintenance mode (only bugfixes and updates for new languages apis). Do not expect quick answers on github issues and/or pull requests (sorry for that) A big thanks to all of the users and contributors since 2009. I'm almost inclined to think ought be done and promptly, notably as the source change is highly minimal, and yes, it is a security bug/fix. But given its likely quite low impact, and also significant numbers of reverse dependencies, and thus possibility of introducing unintended regression bug, perhaps a meet in the middle? E.g. get it into sid, it naturally progresses to testing, it goes into testing for some reasonable time (2 weeks?) with no reported regressions, then line it up for proposed-updates --> udpates --> next scheduled point release for stable and oldstable. Anyway, just my thoughts on the matter. Totally y'all's call to make on that. Much thanks in all regards for your work on it and consideration, etc.! Further details and reference bits: On Sun, Feb 22, 2026 at 1:27#AM Alexandre Rossi <[email protected]> wrote: > Control: forwarded -1 https://github.com/unbit/uwsgi/pull/2752 Looks good! > Workaround is to use --umask. Thanks, nice catch! And tested, confirmed works, and that does make for cleaner work-around (at least for mailman3-web's use of uwsgi[-core]): $ (cd /var/cache/apt/archives && > ar p \ > mailman3-web_0+20200530-2.1_all.deb data.tar.xz | > xz -d | tar -O -xf - ./etc/init.d/mailman3-web | > diff -U 2 - /etc/init.d/mailman3-web) --- - 2026-02-22 13:58:31.788852520 +0000 +++ /etc/init.d/mailman3-web 2026-02-22 13:57:59.000000000 +0000 @@ -20,4 +20,6 @@ LOGFILE="/var/log/mailman3/web/mailman-web.log" DAEMON_ARGS="--ini /etc/mailman3/uwsgi.ini --pidfile ${PIDFILE} --daemonize ${LOGFILE}" +# https://bugs.debian.org/1128380 uwsgi[-core] work-around: +DAEMON_ARGS="${DAEMON_ARGS:+$DAEMON_ARGS }--umask 022" test -x $DAEMON || exit 0 $
