Your message dated Thu, 19 Jun 2025 19:43:50 +0200
with message-id <[email protected]>
and subject line Re: Bug#1104748: release.debian.org: advise on handling
QuickJS and Edbrowse for Trixie
has caused the Debian Bug report #1104748,
regarding release.debian.org: advise on handling QuickJS and Edbrowse for Trixie
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1104748: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104748
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: important
X-Debbugs-Cc: [email protected]
Hi
QuickJS has two CVEs, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104255 .
Upstream has fixed the CVEs in a new version that at the same time makes an
API-incompatible change. Backporting the CVEs can be riskier packaging the new
upstream version. The currently only downstream users of QuickJS is Edgbrowse
which statically links to QuickJS and is also affected by the API change.
In an attempt to close the CVEs, I've uploaded the latest QuickJs 2025.04.26
and would now need to upload the already packaged Edbrowse (see SALSA). I
suppose this is against the release plan/policy, hence I'm raising it here.
As I said, I believe it will be easier for Trixie to get the latest versions
into Debian, as this will decrease the maintenance burden, especially in the
case of future CVEs.
Thanks
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
On 2025-05-27 09:57:27 +0200, Sebastian Humenda wrote:
> Hi
>
> Sebastian Ramacher schrieb am 26.05.2025, 23:01 +0200:
> […]
> >> QuickJS has two CVEs, see
> >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104255 .
> >> Upstream has fixed the CVEs in a new version that at the same time makes an
> >> API-incompatible change. Backporting the CVEs can be riskier packaging the
> >> new
> >> upstream version. The currently only downstream users of QuickJS is
> >> Edgbrowse
> >> which statically links to QuickJS and is also affected by the API change.
> >>
> >> In an attempt to close the CVEs, I've uploaded the latest QuickJs
> >> 2025.04.26
> >> and would now need to upload the already packaged Edbrowse (see SALSA). I
> >> suppose this is against the release plan/policy, hence I'm raising it here.
> >
> >So I suppose that caused #1104835, right? Could you please fix the state
> >in unstable and then file unblock bugs for both.
>
> Yes, indeed. I'll do.
Both have been uploaded and unblocked. Closing
Cheers
--
Sebastian Ramacher
--- End Message ---
