Bug#1109084: New debdiff

Thu, 28 Aug 2025 10:15:24 -0700 

On Wed, 2025-08-27 at 22:27 +0200, Salvatore Bonaccorso wrote:
> Any news here for th upload of apache2 for the bookworm point
> release?
> 
> An update would need to happend soon now, as window is closing
> upcoming weekend for getting things into the next bookworm point
> release.

FWIW, no message to this bug with debdiffs attached has made it to
debian-release, because of the size of the attachemnts. Please do some
combination of compressing them and stripping e.g. autogenerated files
(but explain what you did) in future.

The changelog seems a bit wrong:

+apache2 (2.4.65-1~deb12u1) bookworm; urgency=medium
+
+  * Team upload
+
+  [ Yadd ]
+  * Drop patches included in upstream
+  * New upstream version 2.4.64
+    (Closes: CVE-2025-23048, CVE-2024-42516, CVE-2024-43204, CVE-2024-43394,
+    CVE-2024-47252, CVE-2025-49630, CVE-2025-49812, CVE-2025-53020,
+    CVE-2025-54090)
+  * Unfuzz patches
+
+  [ Bastien Roucariès ]
+  * Add a NEWS entry following CVE-2025-23048
+
+ -- Bastien Roucariès <ro...@debian.org>  Tue, 29 Jul 2025 22:18:46 +0200
+

Why is there no mention of 2.4.65 in the changelog, only 2.4.64? 2.4.65
contains a single change, namely a fix for CVE-2025-54090, but the
changelog claims that fix is part of 2.4.64.

This also seems odd:

diff -Nru apache2-2.4.62/CHANGES apache2-2.4.65/CHANGES
--- apache2-2.4.62/CHANGES      2024-07-11 13:58:12.000000000 +0000
+++ apache2-2.4.65/CHANGES      2025-07-11 01:20:00.000000000 +0000
@@ -1,6 +1,310 @@
                                                          -*- coding: utf-8 -*-
+Changes with Apache 2.4.65
+
+Changes with Apache 2.4.64

The version number used claims that the upload is a simple rebuild of
2.4.65-1, but it actually appears to be the 2.4.62 package with the new
upstream version applied to it. Given the version used, I'd expect
debian/changelog to contain details of the uploads to unstable between
2.4.62-1~deb12u1 and the current upload (and probably not 2.4.62-
1~deb12u1 at all).

Personally, I think this should be 2.4.65-0+deb12u1. In any case, the
lack of any mention of 2.4.65 itself in the changelog and the
misplacing of the related CVE fix seems more of a problem.

Regards,

Adam

Reply via email to