Moritz Muehlenhoff wrote: >> You are right that we should do an update for a point release of lenny >> though to address a minor information disclosure vulnerability[1], plus >> some other non-security related bugs. However, I'd like to avoid >> upgrading to a newer 1.4.x release but backport changes instead; we used >> to heavily patch our sources and changing the upstream release is prone >> to errors. > > Fine with me. OK, will do soon.
>> As for etch, the current version should be affected by multiple >> vulnerabilities (information disclosure *and* remote DoS) and I'm >> currently unable to properly take care of them and test it. Unless a >> comaintainer steps up (please people, do!) I'd more inclined to suggest >> a premature end of security support (are there precedents for this?) > > We can do that, yes. The are some precedents, like rails or Mozilla. Hm, OK, I'll let you know in a few days. I guess an e-mail to secur...@d.o would be sufficient? Thanks, Faidon -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
