On Thu, Jan 24, 2019 at 09:16:37AM +0100, Hugo Lefeuvre wrote: > Dear security team, > > I'm currently preparing a jessie security update addressing CVE-2019-3461, > based on 1.6.13+nmu1+deb9u1 (stretch version). > > I see that the diff is quite huge (same code as buster 1.6.14 right?) and > adds a new libmount-dev dependency. I've had a look at the diff, tested it > in jessie and so far I'm fine with that (especially because it was already > uploaded to stretch).
The new libmount dependency is necessary for the new check used by the security fix. Most of the additional autoconf noise is related to that new dependency and to the fact that the last upload to unstable before the 1.6.14 one was in 2010. If the debdiff for jessie is identical to the one in stretch (the base versions are identical after all), do a few functionality tests and you should be good. If you strip the autoconf bits, the debdiff is also pretty small. Cheers, Moritz