Hi Salvatore,
On 22/05/26 9:24 pm, Salvatore Bonaccorso wrote:
>>> If I get no answers for a week, I'll consider that as a yes and will go
>>> ahead and upload it.
>>> Not trying to be pushy but I feel this should be fixed ASAP.
>> I've also pushed the built artefacts here incase someone wants to test.
>
> Remark: No you never would upload just because not hearing anything
> ;-) That does not help, the uploads won't be published without review
> and manual intervention to release the DSA.
Got it. What is the best option in case of a non-response, though?
(Though I see security team is quite active so probably won't happen?)
> That said, I had a look.
Thanks!
>> diff -Nru kitty-0.41.1/debian/changelog kitty-0.41.1/debian/changelog
>> --- kitty-0.41.1/debian/changelog 2025-06-05 11:09:21.000000000 -0400
>> +++ kitty-0.41.1/debian/changelog 2026-05-21 16:34:49.000000000 -0400
>> @@ -1,3 +1,9 @@
>> +kitty (0.41.1-2+deb13u1) trixie-security; urgency=medium
>> +
>> + * Add patches to fix CVE-2026-33642 and CVE-2026-33633
>
> Debdiffs looks good to me, thanks for preparing them.
>
> Can you add here please as well the bug closer?
Added
* Add patches to fix CVE-2026-33642 and CVE-2026-33633
Closes: #1137210
> Then please upload to security-master, and make sure to build with -sa.
$ dput security-master kitty_0.41.1-2+deb13u1_source.changes
Uploading kitty using ftp to security-master (host:
ftp.security.upload.debian.org; directory: /pub/SecurityUploadQueue)
...
Uploading kitty_0.41.1-2+deb13u1.dsc
Uploading kitty_0.41.1.orig.tar.gz
Uploading kitty_0.41.1-2+deb13u1.debian.tar.xz
Uploading kitty_0.41.1-2+deb13u1_amd64.buildinfo
Uploading kitty_0.41.1-2+deb13u1_source.changes
> Debian bookworm is still supported for one month, can you prepare as
> well an update for it, please? Note there is as well a no-dsa CVE for
> kitty: CVE-2025-43929, can you check its backportability and include
> this one as well for the bookworm-security update?
I'm quite short on time, to be honest and not sure if I can manage cycles
for this.
Will it be possible for someone from security team to take care of it, or
otherwise the LTS team after a month when bookworm is officially unsupported?
If the answer is no, I'll try to squeeze some time on Sunday evening.
Best,
Nilesh
