On Sun, 03 Nov 2019 at 17:51:09 +0100, Salvatore Bonaccorso wrote: > On Wed, Oct 30, 2019 at 03:04:26PM +0000, Simon McVittie wrote: > > How do the security team want to handle this - as a stable update, or > > as a DSA? It isn't a security fix in its own right, but it fixes what > > is effectively a regression triggered by fixing CVE-2019-14822 in ibus > > (#940267, DSA-4525-1). > > I would lean towards fixing it via a point release, still even if the > issue was uncovered/triggered by fixing CVE-2019-14822. This allows to > a have a slighter more exposure as well before the point release.
OK. Proposed backports here: https://salsa.debian.org/gnome-team/glib/commits/debian/buster I didn't include d/p/gcredentialsprivate-Document-the-various-private-macros.patch in this version, but I did include a backport of the unit test from upstream git master, together with some subsequent fixes to give it better coverage and portability. I'm smoke-testing a similar backport for stretch, which I'll push when it passes the build/autopkgtest/piuparts pipeline. I'll propose these versions to the release team as-is, but I'll also point out that the test-related patches can be dropped if they prefer. (Including the test gives me better confidence that everything is working, though!) smcv