[pkg-lynx-maint] Bug#991971: Bug#991971: Bug#991971: [CVE-2021-38165] lynx: bug in SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)

Axel Beckert abe at debian.org
Sun Aug 8 11:30:49 BST 2021 

Hi Salvatore,

Salvatore Bonaccorso wrote:
> > > bullseye-security is operational, so we can do both at the same time
> > > so that bullseye will be fixed from day one.
> > 
> > That'd be great, thanks!
> > 
> > Feel free to base the security upload upon 2.9.0dev.6-3 which I
> > uploaded just recently. From my point of view nothing except the first
> > and last line of the debian/changelog entry needs to be changed for
> > bullseye-security.
> 
> Do I understand correctly you currently have not capactity to prepare
> that upload?

Yes, but I also wasn't aware that I could do that upload.

> If so I can happily chime in, but if you as maintainr
> will that will be perfectly preferable.

I'm bit short of time for the rest of the day, so it'd be nice if
someone else could do that upload.

> If so: I suggest: just do a ~deb11u1 on top of the current unstable
> upload, with changelog entry "Rebuild for bullseye-security", then
> pass -v2.9.0dev.6-2 to dpkg-genchanges invocation, to include all
> changelog entries from 2.9.0dev.6-3 up to 2.9.0dev.6-3~deb11u1 in to
> changes file. Make sure to build with -sa, as lynx/2.9.0dev.6 is new
> for dak on security-master.

Interesting. I'd have done a 2.9.0dev.6-2+deb11u1 by reusing the
2.9.0dev.6-3 upload and just modifying the changelog entry. I thought
that would be cleaner. But I'm fine with both variants.

> > I can also look into how well the patch applies to buster's version of
> > Lynx, but it might take until Monday.
> 
> Thank you!

Do they need to go into the same DSA?

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe at debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lynx-maint/attachments/20210808/0aeaa85e/attachment.sig>

More information about the pkg-lynx-maint mailing list