On Wed, 29 Jul 2015 10:49:12 -0300 Miguel Landaeta <nomad...@debian.org> wrote: > On Wed, Jul 29, 2015 at 10:00:16AM +0100, Russel Winder wrote: > > Emmanuel, Miguel, > > Hi Russel, > > > > > Apache Groovy 1.x series is no longer maintained. All effort is now on > > the Apache Groovy 2.4.x and 2.5-SNAPSHOT versions. If Debian is to > > remove Commons CLI 1.2 then I suggest removing the groovy package since > > the groovy2 package is in place already, and is the right version for > > Debian to go with. > > That's right. We are no longer maintaining Groovy 1.x although we have > several packages depending on it and our latest Debian stable release > still includes groovy 1.x. > > I stumbled upon this bug due to my attempt to fix CVE-2015-3253 in > unstable for groovy 1.8.6 (the published fix is relevant for all > groovy versions since 1.7.0). > > I expect to remove groovy eventually but in the meantime we are > applying only security bug fixes. We are working on groovy2 now.
Hi all, I suggest to ask the release team for an exception and to provide the security fix via testing-proposed-updates. The CVE-fix appears to be straightforward and could be uploaded afterwards to stable-proposed-updates. We shouldn't invest too much time in groovy 1.x anymore. I think the time is better spent on trying to switch all r-deps from groovy 1.x to 2.x as soon as possible and getting rid of this package. Regards, Markus
signature.asc
Description: OpenPGP digital signature
