On 26/01/17 12:58, Scott Leggett wrote: > Hi, > > Quagga 1.1.0 is currently in unstable and testing. I'd like to upload > quagga 1.1.1 to fix #852454 (CVE-2017-5495). Quagga ships with some > shared libraries that are intended for internal use (common code between > the various quagga routing daemons). These internal libraries have > always had SONAME 0 up until now. > > At some point between Quagga 0.99.24 and 1.1.0, the ABI on these dynamic > libraries changed, and it was recently reported upstream as a bug > against 1.1.0 [0]. Subsequently, between Quagga 1.1.0 and 1.1.1, > upstream has bumped the SONAME on one of the libraries [1][2]. > > I'm looking for advice on what to do in this situation as the ABI change > has already occurred on the package that is already in testing. Quagga > has no reverse dependencies in Debian that link to these shared > libraries. Should I still go through the transition process before > uploading 1.1.1? > > As the quagga binary packages have cross-dependencies on the same > version as each other, linking Quagga executables against different > versions of the shared libraries couldn't occur with Debian packages. > The only way that this ABI change could cause issues is the way that it > did in [0], where the user was compiling different versions of quagga > and linking them against the packaged shared libraries. > > Any advice would be appreciated.
Since there are no rdeps, this isn't a transition. Just upload the new version (with the proper renamed libquagga) asap. Cheers, Emilio
