[Pkg-erlang-devel] Security update breaks dependencies
Sergei Golovan
sgolovan at gmail.com
Thu Jul 13 13:21:19 BST 2023
Hi Lennart,
On Wed, Jul 12, 2023 at 12:11 PM Lennart <lennart at ackermans.ch> wrote:
>
> Hi,
>
> The Debian security repository for Buster released an update for
> erlang-base. The updated version replaces erts-10.2.4 with erts-10.6.4.
> I have programs that depend on 10.2.4, so this breaks my system.
>
> I could not find any reference to erlang in the security announcements
> and Debian security tracker. Do you know what is going on?
The upload was done by the Debian LTS team. Sadly, they did not
consult with me about it, and as far as I can judge it's a mistake.
Instead of backporting a fix for some bug
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024632 to be
specific), they just uploaded Erlang 22.2.7 which have this bug fixed,
but appears to be a major Erlang update (22 vs 21 in buster). Maybe
they thought that they were uploading 21.2.7, I don't know.
I don't know how to fix this easily, as for now I'd suggest you to ask
in the LTS mailing list https://lists.debian.org/debian-lts/
Locally, you could simply rollback the erlang packages to the version
from buster (if they are already removed from the main repository,
there's always a snapshot:
https://snapshot.debian.org/package/erlang/1%3A21.2.6%2Bdfsg-1/ )
Cheers!
--
Sergei Golovan
More information about the Pkg-erlang-devel
mailing list