Hi Mike, On Tue, May 16, 2023 at 09:33:11PM +0000, Mike Gabriel wrote: > Control: severity -1 serious > > On Di 16 Mai 2023 19:20:23 CEST, Michael Kiermaier wrote: > > > I consider this bug quite severe as it may break working setups after an > > update. > > > > The corresponding bug report for Ubuntu might be this one: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034261 > > > > It is the same bug reported on the autofs mailing list here: > > https://www.spinics.net/lists/autofs/msg02389.html > > Apparently, it has been introduced in the transition of autofs from > > 5.1.7 to 5.1.8. > > > > A fix has been posted here: > > https://www.spinics.net/lists/autofs/msg02391.html > > and again > > https://www.spinics.net/lists/autofs/msg02434.html > > I share your view on this, thus bumping severity. > > The security team asked me to get the proposed patch into bookworm > before the release.
Just to be clear about it, while I'm member of the security team, the heads-up can be considered not with that hat on. But as both Debian contributor and autofs user, I noticed the bug and pinged you offlist because agreeing that this should be fixed for bookworm. Note that the situation is bit unfortunate, there is not muc htime left to get it in. Applying the isolated (verified) patch and asking the release team for an unblock before 25th of May has still some room. > This patch will need to be applied to Debian's version of autofs: > > https://mirrors.edge.kernel.org/pub/linux/daemons/autofs/v5/patches-5.1.9/autofs-5.1.8-fix-nfsv4-only-mounts-should-not-use-rpcbind.patch > https://git.kernel.org/pub/scm/linux/storage/autofs/autofs.git/commit/?id=80845bbcbc264f19c6c6a81d680e1f2b1ea6d3cc > > I will work on this tomorrow. Thank you for maintaining src:autofs! Regards, Salvatore
