Public bug reported: Please update libsass from 3.5.5-4 (universe, focal) to 3.6.3-1 by syncing from Debian sid.
Besides new features and expanded APIs in the libsass 3.6 series, 3.6.3 also contains security fixes up to November 2019. libsass 3.5.5, on the other hand, was released in November 2018, and while Debian's libsass 3.5.5-4 contains some backported security fixes, it only covers security fixes up till May 2019, missing at least CVE-2019-18798 and CVE-2019-18799 which are fixed by libsass 3.6.3. See also https://security-tracker.debian.org/tracker/source- package/libsass This will also allow hugo 0.66.0-1 which requires libsass 3.6.3-1 (via golang-github-bep-golibsass 0.6.0-1) to enter Ubuntu 20.04 LTS (focal). Note that the following packages which depend on libsass will need to be sync'ed from Debian too to build/autopkgtest successfully with libsass 3.6.3-1, namely: * sassc 3.6.1-2 (upstream version for libsass 3.6.x) * ruby-sassc 2.2.1-1 (upstream version for libsass 3.6.x) * libsass-python 0.19.4-0.1 (upstream version for libsass 3.6.x) * node-node-sass 4.13.1-3 (embed its included copy of libsass 3.5.5; upstream has given no timetable for upgrade to libsass 3.6) Many thanks! Anthony Fok ** Affects: libsass (Ubuntu) Importance: Undecided Status: New ** Package changed: nginx (Ubuntu) => libsass (Ubuntu) ** Description changed: Please update libsass from 3.5.5-4 (universe, focal) to 3.6.3-1 by syncing from Debian sid. Besides new features and expanded APIs in the libsass 3.6 series, 3.6.3 also contains security fixes up to November 2019. libsass 3.5.5, on the other hand, was released in November 2018, and while Debian's libsass 3.5.5-4 contains some backported security fixes, it only covers security fixes up till May 2019, missing at least CVE-2019-18798 and CVE-2019-18799 which are fixed by libsass 3.6.3. See also https://security-tracker.debian.org/tracker/source- package/libsass This will also allow hugo 0.66.0-1 which requires libsass 3.6.3-1 (via golang-github-bep-golibsass 0.6.0-1) to enter Ubuntu 20.04 LTS (focal). Note that the following packages which depend on libsass will need to be sync'ed from Debian too to build/autopkgtest successfully with libsass 3.6.3-1, namely: * sassc 3.6.1-2 (upstream version for libsass 3.6.x) * ruby-sassc 2.2.1-1 (upstream version for libsass 3.6.x) * libsass-python 0.19.4-0.1 (upstream version for libsass 3.6.x) - * node-node-sass 4.13.1-3 (embed its included copy of libsass 3.5.5; upstream has given no time table for upgrade to libsass 3.6) + + * node-node-sass 4.13.1-3 (embed its included copy of libsass 3.5.5; + upstream has given no timetable for upgrade to libsass 3.6) Many thanks! Anthony Fok -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1867116 Title: [FFe] Please sync libsass 3.6.3-1 from Debian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libsass/+bug/1867116/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs