Your message dated Fri, 2 Aug 2019 13:36:13 +0200
with message-id <7f7a590c-d2e3-76c0-6700-2db678a51...@debian.org>
and subject line Re: undertow: Keep it out of Buster
has caused the Debian Bug report #903916,
regarding undertow: Keep it out of Buster
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
903916: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903916
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: undertow
Version: 1.4.25-1
Severity: serious
I am filing this bug report to prevent the migration of undertow to
testing and subsequently being part of the next stable release Debian
10, "Buster". This was also briefly discussed with the Security Team.
Reasons:
- Undertow is regularly affected by security vulnerabilities but
upstream often does not provide enough information to fix the issue
with a targeted patch. Sometimes additional information are not
public or are only disclosed weeks and months later. I have filed a bug
report and suggested to improve the communication policy but so far
nothing has happened.
- Undertow has no reverse-dependencies besides syncany in
experimental.
Once Buster is released this bug report can be closed again and
hopefully the situation has improved by then.
Markus
--- End Message ---
--- Begin Message ---
On Mon, 16 Jul 2018 18:06:06 +0200 Markus Koschany <a...@debian.org> wrote:
> Source: undertow
> Version: 1.4.25-1
> Severity: serious
>
> I am filing this bug report to prevent the migration of undertow to
> testing and subsequently being part of the next stable release Debian
> 10, "Buster". This was also briefly discussed with the Security Team.
[...]
I am going to close this bug report now in the hope that fixing CVE will
be more straightforward from now on. There was some ongoing effort with
packaging Wildfly for which undertow is a basic component. However
should there be no important reverse-dependency in Bullseye, we can omit
Undertow from Debian 11 again because it wouldn't be worth the effort to
provide security support.
Markus
signature.asc
Description: OpenPGP digital signature
--- End Message ---
