On Sat, 2012-05-05 at 20:39 +0200, Ondřej Surý wrote: > On Sat, May 5, 2012 at 5:47 PM, Adam D. Barratt > <a...@adam-barratt.org.uk> wrote: > > On Sat, 2012-05-05 at 17:42 +0200, Thijs Kinkhorst wrote: > >> On Sat, May 5, 2012 16:24, Adam D. Barratt wrote: > >> > I'd like to try and get php5 migrated to testing over the next couple of > >> > days. This does mean aging the 5.4.2-1 upload somewhat, but 5.4.1~rc1-1 > >> > had been in unstable for a month already and the diff from that looks > >> > sane enough once you drop the auto-generated files. > >> > >> From a security standpoint I'd like to add that we expect a new PHP > >> upstream rsn because of the highly publicised cgi vulnerability. I'm not > >> sure if it would affect your transition plan though; I thought I'd mention > >> it to be sure. > > > > For some reason I had it in my head that 5.4.2 was the upstream version > > with the fixed fix rather than the not-quite fixed fix. > > I think this is the case (e.g. 5.4.2 is the fixed version).
I assume Thijs was referring to CVE-2012-2311, which covers the fix in 5.4.2 being incomplete. > And in fact I was going to ask release team to help with transition after > it ages a little bit and fixed r-deps are 10 days old. I did notice that some of the NMUs for the r-deps were still quite young, but the changes are largely trivial and in most cases affect only a few lines of code so I'd be quite happy to age any/all of them. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
