1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1105219: unblock: php-league-commonmark/2.7.0-1 (1/5)

    From David =?iso-8859-1?Q?Pr=E9vot?=@21:1/5 to All on Tue May 13 18:30:01 2025
    XPost: linux.debian.devel.release

    --KvfobiQo61QIB6U6
    Content-Type: text/plain; charset=utf-8
    Content-Disposition: inline
    Content-Transfer-Encoding: quoted-printable

    Package: release.debian.org
    Severity: normal
    X-Debbugs-Cc: php-league-commonmark@packages.debian.org
    Control: affects -1 + src:php-league-commonmark
    User: release.debian.org@packages.debian.org
    Usertags: unblock

    Please unblock package php-league-commonmark

    Hi,

    I’ve prepared this upload during MDCHamburg, but forgot to send it back
    then, and thus missed the Soft Freeze date limit for migration. I was
    fine by waiting for the twenty days migration during Hard Freeze, but I
    just realized the package is actually a key package (I just filed
    #1105208 in order to fix that, but in the mean time, I’m following the
    freeze policy and ask for an unblock).

    [ Reason ]

    New upstream minor version, that addresses a potential cross-site
    scripting (XSS) vulnerability when using the `AttributesExtension` with untrusted user input.

    [ Impact ]

    Let’s not release Trixie with known security issues (event potential
    ones).

    [ Tests ]

    Tests at build time, as well as autopkgtest (and thus
    reverse-dependencies have also been tested).

    [ Risks ]

    Code change is pretty trivial, at least in the binary package (cf.
    attached diffoscope output), even if source code change are bigger (a
    lot of changes in the non-shipped documentation, as well as additional
    tests, not shipped either in the binary package.

    [ Checklist ]
    [x] all changes are documented in the d/changelog
    [x] I reviewed all changes and I approve them
    [ ] attach debdiff against the package in testing
    [x] attach diffoscope output against the package in testing

    unblock php-league-commonmark/2.7.0-1

    --KvfobiQo61QIB6U6
    Content-Type: text/plain; charset=utf-8
    Content-Disposition: attachment; filename="plc.diffoscope" Content-Transfer-Encoding: quoted-printable

    --- ../php-league-commonmark_2.6.2-1_all.deb
    +++ ../php-league-commonmark_2.7.0-1_all.deb
    ├── file list
    │ @@ -1,3 +1,3 @@
    │ --rw-r--r-- 0 0 0 4 2025-04-22 11:01:30.000000 debian-binary
    │ --rw-r--r-- 0 0 0 8532 2025-04-22 11:01:30.000000 control.tar.xz
    │ --rw-r--r-- 0 0 0 113256 2025-04-22 11:01:30.000000 data.tar.xz
    │ +-rw-r--r-- 0 0 0 4 2025-05-05 14:16:52.000000 debian-binary
    │ +-rw-r--r-- 0 0 0 8532 2025-05-05 14:16:52.000000 control.tar.xz
    │ +-rw-r--r-- 0 0 0 113744 2025-05-05 14:16:52.000000 data.tar.xz
    ├── control.tar.xz
    │ ├── control.tar
    │ │ ├── file list
    │ │ │ @@ -1,3 +1,3 @@
    │ │ │ -drwxr-xr-x 0 root (0) root (0) 0 2025-04-22 11:01:30.000000 ./
    │ │ │ --rw-r--r-- 0 root (0) root (0) 666 2025-04-22 11:01:30.000000 ./control
    │ │ │ --rw-r--r-- 0 root