Ubuntu
libsass package

  1. Bug #1867116
  2. Activity log

Activity log for bug #1867116

Date Who What changed Old value New value Message
2020-03-12 09:05:44 Anthony Fok bug added bug
2020-03-12 09:06:26 Anthony Fok affects nginx (Ubuntu) libsass (Ubuntu)
2020-03-12 09:06:53 Anthony Fok bug added subscriber Ubuntu Release Team
2020-03-12 09:07:35 Anthony Fok description Please update libsass from 3.5.5-4 (universe, focal) to 3.6.3-1 by syncing from Debian sid. Besides new features and expanded APIs in the libsass 3.6 series, 3.6.3 also contains security fixes up to November 2019. libsass 3.5.5, on the other hand, was released in November 2018, and while Debian's libsass 3.5.5-4 contains some backported security fixes, it only covers security fixes up till May 2019, missing at least CVE-2019-18798 and CVE-2019-18799 which are fixed by libsass 3.6.3. See also https://security-tracker.debian.org/tracker/source-package/libsass This will also allow hugo 0.66.0-1 which requires libsass 3.6.3-1 (via golang-github-bep-golibsass 0.6.0-1) to enter Ubuntu 20.04 LTS (focal). Note that the following packages which depend on libsass will need to be sync'ed from Debian too to build/autopkgtest successfully with libsass 3.6.3-1, namely: * sassc 3.6.1-2 (upstream version for libsass 3.6.x) * ruby-sassc 2.2.1-1 (upstream version for libsass 3.6.x) * libsass-python 0.19.4-0.1 (upstream version for libsass 3.6.x) * node-node-sass 4.13.1-3 (embed its included copy of libsass 3.5.5; upstream has given no time table for upgrade to libsass 3.6) Many thanks! Anthony Fok Please update libsass from 3.5.5-4 (universe, focal) to 3.6.3-1 by syncing from Debian sid. Besides new features and expanded APIs in the libsass 3.6 series, 3.6.3 also contains security fixes up to November 2019. libsass 3.5.5, on the other hand, was released in November 2018, and while Debian's libsass 3.5.5-4 contains some backported security fixes, it only covers security fixes up till May 2019, missing at least CVE-2019-18798 and CVE-2019-18799 which are fixed by libsass 3.6.3. See also https://security-tracker.debian.org/tracker/source-package/libsass This will also allow hugo 0.66.0-1 which requires libsass 3.6.3-1 (via golang-github-bep-golibsass 0.6.0-1) to enter Ubuntu 20.04 LTS (focal). Note that the following packages which depend on libsass will need to be sync'ed from Debian too to build/autopkgtest successfully with libsass 3.6.3-1, namely: * sassc 3.6.1-2 (upstream version for libsass 3.6.x) * ruby-sassc 2.2.1-1 (upstream version for libsass 3.6.x) * libsass-python 0.19.4-0.1 (upstream version for libsass 3.6.x) * node-node-sass 4.13.1-3 (embed its included copy of libsass 3.5.5; upstream has given no timetable for upgrade to libsass 3.6) Many thanks! Anthony Fok
2020-03-12 09:08:28 Anthony Fok attachment added ChangeLog from output of "git log 3.5.5..3.6.3" command https://bugs.launchpad.net/ubuntu/+source/libsass/+bug/1867116/+attachment/5336016/+files/libsass-git-log-3.5.5..3.6.3.log
2020-03-12 09:10:20 Anthony Fok attachment added Build log of libsass 3.6.3-1 on amd64 in Debian https://bugs.launchpad.net/ubuntu/+source/libsass/+bug/1867116/+attachment/5336018/+files/libsass_3.6.3-1_amd64.build
2020-03-12 16:39:26 Anthony Fok tags focal
2020-04-06 16:13:19 Martin Wimpress  libsass (Ubuntu): status New Fix Released