Hi Michael, [looping in [email protected] as we do not automatically are CCed on security tagged bugs, so for conext of the other team members]
On Sat, Jul 06, 2024 at 09:27:45AM +0300, Michael Tokarev wrote: > Control: found -1 > 06.07.2024 00:35, Salvatore Bonaccorso wrote: > .. > > > This is fixed by qemu uploaded earlier today. > > > > > > Patches are already prepared for bookworm (for qemu 7.2.x series) and > > > already verified upstream and passed the tests. > > > > Yes thanks, had only the 1:8.2.5+ds-2 initially to check. > > Sure, you didn't know I uploaded a fixed version already. Well I still consider that a bit sloopy on my end, I usually check various sources, one of which is as well if tracker did see a new changes :). anyway, I think all sorted with respect to unstable :) > > Updated the security-tracker accordingly now. > > Now, I've some doubts about what to do here with other branches. > > For bookworm we've two choices: to upload a quick fix to -security > with just the two changes from upstream, or to wait for upstream > 7.2.13 version which will be released in 10 days, and push that > one with this and other fixes. I prefer the second variant, but > you definitely have your word here. Yes right, and what is your take on the severity? I think the later option is better to cover potential other fixes, e.g. I guess CVE-2024-6505 will be adressed as well (though not checked that yet closely). OTOH there is the question if we need a DSA or if the rebase update can be batched in the point release from august so having the update further exposed via proposed-updates. But in short I do not see an urgency that we cannot wait at least the 10 days. > And since this bug is old (can't find when the json thing first > appeared, but it looks like it predates buster). I'll update the > bug report at least. Ack! Thanks for your work on qemu (and other packages) Regards, Salvatore
