Bug#1028475: Backport recent GVariant security fixes to Stable
Salvatore Bonaccorso
carnil at debian.org
Sat Jan 14 20:15:41 GMT 2023
Hi Simon,
Thank you for adding looping in.
On Thu, Jan 12, 2023 at 10:10:35AM +0000, Simon McVittie wrote:
> Control: tags -1 + security
>
> On Wed, 11 Jan 2023 at 16:37:01 +0000, Philip Withnall wrote:
> > Are there plans to backport the recent GVariant security fixes to
> > Debian Stable?
> >
> > These are:
> > - https://gitlab.gnome.org/GNOME/glib/-/issues/2782
> > - https://gitlab.gnome.org/GNOME/glib/-/issues/2121
> > - https://gitlab.gnome.org/GNOME/glib/-/issues/2540
> > - https://gitlab.gnome.org/GNOME/glib/-/issues/2794
> > - https://gitlab.gnome.org/GNOME/glib/-/issues/2797
> > - https://gitlab.gnome.org/GNOME/glib/-/issues/2840
> > - https://gitlab.gnome.org/GNOME/glib/-/issues/2841
> >
> > In addition, these two issues have highly related fixes (which it’s
> > probably easiest to backport in the same tranche), but they are not
> > security issues:
> > - https://gitlab.gnome.org/GNOME/glib/-/issues/2612
> > - https://gitlab.gnome.org/GNOME/glib/-/issues/2839
> >
> > Apologies if a decision has been deliberately taken to not backport
> > them, I don’t fully understand the criteria for what gets backported.
>
> There are actually two sets of criteria for what gets backported to
> stable. If the Debian security team (Cc'd) thinks an issue is sufficiently
> serious to need a security advisory and an immediate release, then they
> prepare a security update, either doing the work themselves or coordinating
> with the package's maintainer for the actual code changes.
>
> If the security team are not interested in an issue, but the package's
> maintainer thinks the issue needs a stable update, then the package's
> maintainer coordinates with the release team to get the change into the
> next stable point release, which happens once per 1-2 months.
>
> I think these issues are all denial-of-service, which the security team
> usually treats as not sufficiently important for an advisory and an
> off-schedule fix. Security team: do you agree, based on the information
> quoted below? If yes, we can treat this as a low-priority security fix
> (I would personally rate its severity at somewhere between important
> and minor) and fix it in a point release later.
I do agree, a point release update seems enough (if feasible, in
backport size and confidence).
Regards,
Salvatore
More information about the pkg-gnome-maintainers
mailing list