Hi!
Thanks for preparing a LTS fix for privoxy.
For reference, our full procedure is documented at:
https://wiki.debian.org/LTS/Development
To answer your points:
- The debdiff looks good to me
- Salvatore updated the CVE-2021-20274 status accordingly
- 'minor issue' means there is not immediate urgency, so the
buster/stable fixes may be delayed to a point release.
LTS does not have a point release system so an LTS upload sounds good.
- Abhijith (in Cc:) announced his intention to work on the package
yesterday [1], you probably can coordinate with him for the next steps,
in particular who will take care of sending the e-mail and website
announcements.
[1]
https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/dla-needed.txt
- If you plan to work on future LTS updates of privoxy and would like to
be contacted before the LTS team starts working on an update, let us
know and we'll add you in [2]
[2]
https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/packages/lts-do-call-me
Cheers!
Sylvain
On 08/03/2021 14:38, Roland Rosenfeld wrote:
Hi!
(please Cc: me in reply, since I'm not subscribed to debian-lts)
Privoxy upstream just released version 3.0.32, which fixes five new
CVEs, which are also reported at security-tracker.
I prepared a package that fixes CVE-2021-20272, CVE-2021-20273,
CVE-2021-20275, and CVE-2021-20276.
CVE-2021-20274 is missing, since this affects code, that was
introduced in 3.0.29, so stretch package is not affected, since we
shipped 3.0.26 in stretch. I requested on IRC #debian-security to
tag stretch and buster as not affected for this CVE.
Since all other CVEs are tagged "minor issue" on security-tracker, I'm
not sure whether it's worth doing a LTS upload for this.
If you think so, feel free to use it or tell me, what I have to do to
upload it...
A patch agains 3.0.26-3+deb9u1 is attached.
Salsa pipeline was successful with this:
https://salsa.debian.org/debian/privoxy/-/pipelines/237014 including
the testsuite.
Greetings
Roland
