Hello, On Mon 25 Dec 2023 at 11:31am +01, Martin Pitt wrote:
> Hello Sean and security team, > > Sean Whitton [2023-12-24 9:12 +0000]: >> I have taken responsibility for fixing these CVEs in libssh in buster, >> as part of Freexian-funded LTS work. I would like to see if I can help >> get them fixed in bullseye & bookworm in parallel, to avoid a situation >> where they're fixed in buster but not fixed in releases to which LTS >> users might soon upgrade their machines. >> >> I see the fixes are all in sid. Are you expecting to issue DSAs for >> bullseye and bookworm? I would be grateful for some information on the >> sec team's plans for these fixes. > > By now it propagated to testing as well. I have the update for Debian 12 > bookworm prepared, we just wanted to give some field testing to the patches, > as > there was at least one major regression [1], so I needed to backport the fix > [2] and tests [3]. > > I am happy to work on the Debian 11 bullseye update now, as there is a > validated upstream microrelease for it. But if you can work on the Debian 10 > buster (oldoldstable) update, that'd be great -- I don't have a meaningful way > of testing it, nor enough time over the Christmas holidays. Many thanks for the info, both. -- Sean Whitton
signature.asc
Description: PGP signature