Hi Moritz, Salvatore, On Do 27 Dez 2018 21:44:33 CET, Salvatore Bonaccorso wrote:
Hi Mike, On Thu, Nov 22, 2018 at 08:00:07PM +0100, Moritz Mühlenhoff wrote:On Fri, Oct 26, 2018 at 04:46:39PM +0000, mike.gabr...@das-netzwerkteam.de wrote:> Hi, > > On Friday, 26 October 2018, Moritz Mühlenhoff wrote: > > On Tue, Sep 18, 2018 at 05:06:14PM +0000, Mike Gabriel wrote: > > > Hi, > > > > > > On Mo 17 Sep 2018 23:20:33 CEST, Moritz Mühlenhoff wrote: > > > > > > > On Mon, Sep 17, 2018 at 09:07:38PM +0000, Mike Gabriel wrote:> > > > > I have looked at the changes between 3.1.33 (just uploaded to unstable) and> > > > > 3.1.31 (in stable). They are awful. Read the below... > > > > > > > > > > 15:42 < sunweaver> Hi all, I have just looked into > > > > > https://security-tracker.debian.org/tracker/CVE-2018-16831> > > > > 15:43 < sunweaver> even for stretch, it is pretty much impossible to > > > > > backport the patch series (at least for patches, all containing tons of> > > > > regexp with > > > > > multitudes of slashes and backslashes). > > > > > 15:43 < sunweaver> totall insane...> > > > > 15:44 < sunweaver> in fact, my recommendation for jessie and stretch would > > > > > be (with my maintainer hat _and_ LTS team hats on at once): bring the latest> > > > > upstream release to jessie/stretch.> > > > > 15:44 < sunweaver> In jessie, we need to upgrade smarty-lexer as well for> > > > > that. > > > > > 15:46 < sunweaver> the 4 patches we needed at least are these...> > > > > 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe > > > > > 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8 > > > > > 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50 > > > > > 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1> > > > > 15:48 < sunweaver> and these four sit on top of this...> > > > > 15:48 < sunweaver> https://github.com/smarty-php/smarty/commit/f7a53162058de410a35a9848e6d0795d7c252aaf> > > > > 15:48 < sunweaver> and 10+ other commits. > > > > > 15:48 < sunweaver> all tackling the same code passage.> > > > > 15:49 < sunweaver> @all: can we reach consensus that latest upstream release> > > > > would be best for jessie LTS and stretch (OT here). > > > > > > > > > > The pile of patches is so awful, I strongly advise getting latest> > > > > smarty-lexer and latest smarty3 from unstable into stable with thorough > > > > > testing of dependent application (gosa, FusionDirectory, slbackup-php, ...). > > > > > Most of them are maintained by me and I have running setups for testing this> > > > > (except 1 package in Debian IIRC). > > > >> > > > If you have reasonable test coverage of the reverse deps, we can do that.> > > >> > > > But let's wait for a few more days to spot eventual regressions reported > > > > in unstable first. Also, make sure to coordinate the release of the DLA with > > > > the DSA, otherwise we end up with a situation where oldstable has a higher> > > > version number than stable. > > > > > > > > Cheers, > > > > Moritz > > >> > > I will wait another week with this. I'd like to get this solved before my> > > VAC (6th Oct - 21st Oct). > > > > What's the status? > > > > Cheers, > > Moritz > > >> I am still waiting for upstream to verify / confirm my patch. Ping dropped Monday this week.Any feedback?Did you got any feedback on it?
No. However, this week I took some time and tested my patch more intensively. It throws PHP exceptions on certain code paths.
Need to reinvestigate and update my patch... It's on my list, so stay tuned. Sorry for the long delay on my side.
Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
pgpeKIqfA56xv.pgp
Description: Digitale PGP-Signatur
