Hi, [Disclaimer not a release team member]
On Sat, May 08, 2021 at 08:08:26AM +0200, Bas Couwenberg wrote: > Package: release.debian.org > Severity: normal > Tags: buster > User: [email protected] > Usertags: pu > > CVE-2021-32062 as reported in #988208 also affects version 7.2 in buster. > > [ Reason ] > Fix CVE-2021-32062. > > [ Impact ] > Unfixed security issue. > > [ Tests ] > Upstream CI. > > [ Risks ] > Low. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [ ] the issue is verified as fixed in unstable > > [ Changes ] > A different VCS branch is used for buster, for which the packaging is updated. > > Both upstream patches are required to fix CVE-2021-32062. > 0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is a > dependency of 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch. > > The upstream changes introduce two symbols used to fix the issue, for which > the symbols file is updated. > > lintian also reported a spelling error, which is left unfixed. > > [ Other info ] > The fix for unstable is pending pre-approval, see: #988224. > > Kind Regards, > > Bas > diff -Nru mapserver-7.2.2/debian/changelog mapserver-7.2.2/debian/changelog > --- mapserver-7.2.2/debian/changelog 2019-02-20 05:43:10.000000000 +0100 > +++ mapserver-7.2.2/debian/changelog 2021-05-08 07:35:27.000000000 +0200 > @@ -1,3 +1,12 @@ > +mapserver (7.2.2-2) buster; urgency=high To try to be consistent with versioning usually for stable, I would suggest to use 7.2.2-1+deb10u1 (even if we know that 7.2.2-2 was never in the archive). Though that said, expceptions exits anyway. Regards, Salvatore
