#> we'll go with lowering to 'important', with an attached explanation.
#285128: kdelibs: CAN-2004-1165: FTP command injection bug
severity 285128 important
#286516: kdebase: CAN-2004-1158: Konqueror Window Injection Vuln.
severity 286516 important
#286521: kdelibs: CAN-2004-1145: Konqueror Java Vulnerability
severity 286521 important
thanks mate, see you again after the transition
In agreement with the Release Team, I'm downgrading the severity of
the above three security bugs in KDE to important, so that KDE 3.3 can
enter sarge. See this thread [1] for more info.
[1] http://lists.debian.org/debian-release/2005/01/msg00004.html
The severity will be restored right after the transition, and uploads
to sid will shortly follow. Just to say what is going to happen:
kdebase 3.3.1-4 will be uploaded first (along with a arts 1.3.2-2, not
security related). While buildds churn these two, a kdelibs 3.3.2-1
upload to sid will be prepared, and uploaded as soon as kdebase+arts
is built in all arches.
We need to upload kdelibs 3.3.2 since the fix for CAN-2004-1145 (the
Java Vulnerability) is not easily backportable to 3.3.1. Having
kdelibs 3.3.2 with the rest of packages being at 3.3.1 is a safe mix;
in any case, we will test prior to uploading and the urgency won't be
set to high.
Cheers,
--
Adeodato Simó
EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
Listening to: 10,000 Maniacs - don't talk
Don't worry about what anybody else is going to do. The best way to
predict the future is to invent it.
-- Alan Kay
