Hi Tianon, hi Steve,
On Wed, Dec 23, 2015 at 03:27:10PM -0800, Tianon Gravi wrote:
> On 16 December 2015 at 14:09, Tianon Gravi <tia...@debian.org> wrote:
> > Just a friendly ping; any movement towards fixing or at least
> > investigating this vuln? This package is part of minbase, so IMO it
> > looks a little strange to have even something as low as a CVSS 5.8
> > still pending a maintainer response (even just a "naw, this isn't a
> > problem and won't be fixed"). Is it a matter of crafting a patch with
> > the upstream fix? (I'm willing to try my hand at doing so if it'd be
> > helpful.)
>
> I've attached a patch for the packaging on top of the version
> currently in jessie/stretch/sid that builds properly and includes the
> upstream fix from 1.2.1 -- I've not yet had the opportunity to do
> either a security upload or a proper NMU, but I'm willing to read and
> do the work given hrefs and/or preferences, or will happily defer to
> someone with more experience (maybe the maintainer, hint hint vorlon).
> :)
Not the maintainer here, but for the security-upload point of view
If you do a NMU for unstable, it would be nice to have it fixed as
well in stable and possibly oldstable. The issue though is marked
already as no-dsa in the security-tracker (i.e. no DSA is planned for
it), the fix could go through a {wheezy,jessie}-pu though.
Regards,
Salvatore
