[Bug 1978555] Re: [SRU] New upstream maintenance and security releases for Focal and Jammy

Robie Basak 1978555 at bugs.launchpad.net
Fri Jul 15 13:31:27 UTC 2022 

> SPIP does not meet the bulleted criteria in
https://wiki.ubuntu.com/StableReleaseUpdates#New_upstream_microreleases.
However, these microreleases are acceptable because all changes can be
SRUed.

Sorry, I think you misunderstand the policy. If all the changes are
acceptable but the bulleted criteria are not met, then you're expected
to track and verify every single bug individually. That doesn't seem
practical in this case.

I suggest that you proceed by cherry-picking the individual security
fixes that are actually necessary and seeking security sponsorship for
them.

An exception could be made to the usual requirements, but then a case
for that needs to be made please.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1978555

Title:
  [SRU] New upstream maintenance and security releases for Focal and
  Jammy

Status in spip package in Ubuntu:
  Fix Released
Status in spip source package in Focal:
  New
Status in spip source package in Jammy:
  New

Bug description:
  The version in Focal is vulnerable to CVE-2020-28984, CVE-2021-44118,
  CVE-2021-44120, CVE-2021-44122, CVE-2021-44123, CVE-2022-26846 and
  CVE-2022-26847.

  The version in Jammy is vulnerable to CVE-2022-26846 and
  CVE-2022-26847.

  To fix the vulnerabilities and other bugs, I want to upgrade to new upstream maintenance and security releases (3.2.15 for Focal and 4.0.7 for Jammy).
  The only additional change is to override Lintian errors.

  Debian released an advisory on March 8.

  [Test Plan]
  For each combination of Ubuntu release and CVE that affects the package in that release, test that the CVE cannot be exploited with the updated package.

  [Where problems could occur]
  There are no reverse dependencies in Ubuntu. However, the upstream bug fixes can cause regressions in software outside of the Ubuntu archive.

  The Files-Excluded field in debian/copyright can be incorrect for the
  new upstream releases, excluding or including files that should not
  be, possibly leading to a nonfunctional SPIP or introducing other
  bugs.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/spip/+bug/1978555/+subscriptions

More information about the Ubuntu-sponsors mailing list