Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hi, Charybdis is unfortunately in very bad shape in stable right now. There was an oversight during the release process that made this bug not appear as release critical: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768339 Yet because of this bug, charybdis is basically unusable with TLS enabled (which is the default). The error message is obscure and it is unlikely that anyone can fix this problem on their own without having a strong intuition. I have therefore made a small upload for the package on sid. It fixes that issue, but also a minor security vulnerability that was also unfixed in jessie (and wheezy): https://tracker.debian.org/news/725820 I have talked with the security team and they agree that a DSA is not necessary because of the workaround (and the fact that charybdis is broken anyways). The CVE has been marked as no-dsa by the team here: https://security-tracker.debian.org/tracker/CVE-2015-5290 So i would like to upload the -5 release to stable (jessie) directly. I attached the debdiff between -4 and -5 to this mail. Since upstream is not maintaining 3.3 anymore and the upgrade is transparent, i would also suggest that -5 is uploaded to wheezy as well, but i understand that would be quite a stretch (no pun intended). Wheezy, as far as i know, is not affected by #768339 so is more stable, but it *is* affected by the security vulnerability. The patch I cherry-picked for -5 *seems* to apply to the wheezy version, but i don't have an environment to test this right now. Thanks for any feedback. A. -- System Information: Debian Release: 8.2 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
