rust-protobuf icon indicating copy to clipboard operation
rust-protobuf copied to clipboard
verified publisher icon stepancheg

Please consider backporting the fix for CVE-2024-7254, RUSTSEC-2024-0437 to v2

Open NoisyCoil opened this issue 8 months ago • 0 comments

Hi. CVE-2024-7254 and RUSTSEC-2024-0437 were recently brought to the attention of the Debian Rust Team in Bug#1103833. We're happy to see v3 was patched. However, some of the applications in Debian testing are still using v2 and, since we're already 1.5 months into the Trixie freeze, we have serious difficulties upgrading to v3: library transitions are forbidden at this stage, and to update protobuf we would also have to update prometheus, thus requiring two transitions. For this reason we are considering removing protobuf and all its reverse dependencies from Debian Trixie.

It is my understanding that

Version 2 is previous stable version. Only most critical bugfixes will be applied to 2.x version, otherwise it won't be maintained.

I would like to ask if you could consider backporting the patch to v2. Alternatively, I'd appreciate it if you could leave some feedback on the backport proposed by @pjenvey in https://github.com/stepancheg/rust-protobuf/pull/756#issuecomment-2715961002.

Thank you in advance.

NoisyCoil avatar Apr 24 '25 20:04 NoisyCoil