Hi Markus, On Tue, Jan 24, 2017 at 01:10:00AM +0100, Markus Koschany wrote: > On 23.01.2017 07:23, Salvatore Bonaccorso wrote: > > Hi Markus, > > > > Thanks for looking into the issue. > [...] > > I agree, upstream has not really provided any usefull information, and > > we have somehow to trust Oracle here, that 8.2 contains the fix. I'm > > confident, since the 8.2 version gives now a warning, if you try to > > import a project from a zip file containing members with "../". But I > > was unable to determine the exact code change. > > > > I'm not sure about the options. > > > > 1/ try to determine the required changes and backport them to 8.1 > > ideally, but seems a bit hard. > > 2/ live with the issue, and once stretch is a stable release mark it > > as no-dsa as well there. > > 3/ Ask release team if having 8.2+dfsg1-1 in stretch, but I guess that > > unblock is not feasible anymore now. > > 4/ something missing? > > > > Regards, and sorry for not beeing more helpfull here, > > Salvatore > > Hi Salvatore, > > definitely not your fault and thanks for reporting, much appreciated as > always. > > At the moment I think I will mark it as no-dsa in Stretch, 8.2 isn't > ready for prime time yet but in the future it will eventually close this > bug report. Of course if someone else can point me to the > commit/fix/patch I will try to get this into Stretch.
Alright. let's wait until stretch is released and if until then still no further information is available, we can tag it <no-dsa> for stretch. Thanks for your investigation and comments. Regards, Salvatore
