[14:23] <pfsmorigo> ingvar, hello, do you think it's possible to have a backport of the complete fix for 6.2.1 (focal version) or just mitigate the problem? (tks mdeslaur)
[14:28] <luis220413> pfsmorigo: I filed bug 1986627 for the incomplete fix.
[14:30] <mdeslaur> if it's causing an issue for users, and we don't know what the fix is, we need to back out the patch and release a new package
[14:31] <luis220413> mdeslaur: The fix is known. See the last comment in bug 1971504
[14:32] <mdeslaur> I don't see a fix in that comment
[14:33] <luis220413> mdeslaur: I mean the second-to-last comment: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1971504/comments/33
[14:33] <luis220413> I will return in 10 minutes but I will remain online.
[14:39] <luis220413> I am back.
[15:10] <teward> luis220413: i am not the security team but it sounds like you or others are proposing a full version bump.  unless the code changes between .1 and .2 are trivial and well documented what specifically was changed and why i'm not sure how feasible that proposed fix from the fedora maintainer would be
[15:10] <luis220413> luis220413: No. The comment says: "Which means that most of the code changes between varnish-6.2.2 and 6.2.3 (tests and doc and stuff may be dropped) should be included in the patch set that fixes CVE-2020-11653."
[15:11] <luis220413> *teward: ^
[15:12] <teward> we have .1 with patches.  including changes between .2 and .3 would be a version bump from .1 to .3.  so the changes between .1 and .2 *are* relevant as i stated
[15:12] <teward> whether we drop tests and documentation or not its still a version bump if tberes not cherrypickable changes for this
[15:13] <luis220413> teward: The changes between 6.2.1 and 6.2.2 are trivial and included in version 6.2.1-2ubuntu0.1: https://github.com/varnishcache/varnish-cache/compare/varnish-6.2.1...varnish-6.2.2
[15:13] <teward> it is, ultimately, a security team decision on whether they want to prod it with a stick and such and do these changes, but the consideration points are still there
[15:14] <luis220413> teward: The remaining changes can be cherry-picked: https://github.com/varnishcache/varnish-cache/compare/varnish-6.2.2...varnish-6.2.3
[15:26] <luis220413> ebarretto: The Xen SRU in bug 1956166 was merged! I would like you to provide a progress report on the review of my debdiff in bug 1970507.
[15:27] <luis220413> s/merged/released to focal-updates/
[16:17] <pfsmorigo> luis220413, are you going to work in a debdiff for the missing patches for CVE-2020-11653? I see 19 commits but some of them are already included.
[16:39] <luis220413> pfsmorigo: Yes. There are 14 commits to be included in that debdiff.
[16:40] <luis220413> This CVE only affects Ubuntu 20.04.
[16:59] <luis220413> pfsmorigo: I am working on it now.
[17:21] <luis220413> pfsmorigo: I will return in 5 minutes but I will remain online. There are only 4 patches remaining.
[17:31] <luis220413> pfsmorigo: The debdiff is ready.
[17:33] <luis220413> The patched package has just been uploaded to the usual PPA (https://launchpad.net/~luis220413/+archive/ubuntu/security-updates).
[17:37] <luis220413> pfsmorigo: I will return in 45 minutes but remain online.
[18:03] <luis220413> I am back.