On Tue, Apr 14, 2020 at 10:04:00PM +0200, Salvatore Bonaccorso wrote: > Control: tags -1 - moreinfo > > Hi Adam, > > On Sun, Apr 12, 2020 at 10:05:55PM +0100, Adam D. Barratt wrote: > > Control: tags -1 + moreinfo > > > > On Sun, 2020-04-12 at 09:23 -0400, Roberto C. Sanchez wrote: > > > Please find attached a proposed debdiff for php-horde-data. The > > > change fixes CVE-2020-8518, which the security team has classified as > > > <no- dsa>, deeming it a minor issue which can be fixed via a point > > > release. > > > > The Security Tracker indicates that this issue affects the package in > > unstable and is not yet fixed there; is that correct? > > This is correct, the issue has not been fixed in unstable "yet". The > horde ecosystem is currently unmaintained, and previous maintainer > indicated to ask actually for removal if nobody steps up. See #942282 > for context. > > That said, it's possible to either wait for a fix in unstable or the > removal of the php-horde* packages first before accepting the upload > for a buster point release (same for the other updates proposed by > Roberto). > > Does this make sense? > Hi Salvatore,
I've communicated with Mathieu Parent (the php-horde-* maintainer) regarding his intentions for unstable uploads of these three packages. He has asked that I go ahead and perform the uploads. However, if you think that a removal request is forthcoming in the very near future, I will wait and not make those uploads. My intent was to have them done in the next 24 hours. Please advise if I should proceed or if I should wait for removal. Regards, -Roberto -- Roberto C. Sánchez
