Hi, On Thu, Feb 27, 2025 at 03:33:00PM +0100, Daniel Leidert wrote: > Am Donnerstag, dem 27.02.2025 um 11:49 +0100 schrieb Marc SCHAEFER: > > > > There is a docker.io upgrade for bullseye: > > > > https://security-tracker.debian.org/tracker/TEMP-0000000-7C9547 > > > > However, it was not yet announced, if I am not mistaken. > > > > Is this because of a responsible disclosure policy? > > > > $ dpkg -s docker.io|grep Version > > Version: 20.10.5+dfsg1-1+deb11u3 > > > > $ apt-cache show docker.io | grep Version | head > > Version: 20.10.5+dfsg1-1+deb11u4 > > > > Manually downloading, the changelog says: > > > > docker.io (20.10.5+dfsg1-1+deb11u4) bullseye-security; > > urgency=medium > > > > * LTS Team upload. > > * Rebuild with golang-glog 0.0~git20160126.23def4e-3+deb11u1. > > * No source changes. > > > > Does that mean that it actually would fix a go issue that docker.io > > uses? > > I think this relates to DLA-4056-1. According to a recent discussion, > there should probably be separate DLAs for affected and updated > packages like docker.io (there were more). I'll forward this to the LTS > team's list.
Golang and rust are complicated lands in this regards. For the packages rebuild due to a fix needed in golang-glog the package might just be mentioned in the respective advisory text (or say that there are packages required rebuild). But they are not tracked as it's not a fix in that respective source package done. Cf. https://lists.debian.org/debian-lts-announce/2025/02/msg00019.html Regards, Salvatore
