Lorenzo Martignoni wrote:
> > If you can, please build an updated package, based on the version in
> > sarge and woody if that's needed as well, and place them on a .debian.org
> > host.
>
> I already have a fixed package. I only need to add the CVE ID.
>
> On which host of .debian.org should I u
* Martin Schulze <[EMAIL PROTECTED]>:
> Florian Weimer wrote:
> > >> (Note that I have yet to test Lorenzo's new package.)
> > >
> > > Are you in a position to do so?
> >
> > Sure, but the question is if you want to rely on the results. You
> > don't seem to trust my judgement on this matter, fo
Florian Weimer wrote:
> >> (Note that I have yet to test Lorenzo's new package.)
> >
> > Are you in a position to do so?
>
> Sure, but the question is if you want to rely on the results. You
> don't seem to trust my judgement on this matter, for reasons I don't
> know.
I simply did not understan
* Florian Weimer <[EMAIL PROTECTED]>:
> * Lorenzo Martignoni:
>
> > The patch has been tested by me and by Paul Gear but further tests will
> > be better, so your feedback will be very precious.
>
> Apart from the lack of CVE entry in the changelog, the package seems
> to be fine. Both problem
* Lorenzo Martignoni:
> The patch has been tested by me and by Paul Gear but further tests will
> be better, so your feedback will be very precious.
Apart from the lack of CVE entry in the changelog, the package seems
to be fine. Both problems are fixed.
There is a surprising reduction of the
* Florian Weimer <[EMAIL PROTECTED]>:
> * Martin Schulze:
>
> >> > What was the behaviour pre-sarge?
> >> > What is the behaviour post-sarge (or rather in sarge)?
> >>
> >> Do you mean "before and after the upstream security update"? The
> >> terms pre-sarge/post-sarge do not make much sense to
* Martin Schulze:
>> > What was the behaviour pre-sarge?
>> > What is the behaviour post-sarge (or rather in sarge)?
>>
>> Do you mean "before and after the upstream security update"? The
>> terms pre-sarge/post-sarge do not make much sense to me in this
>> context, I'm afraid.
>
> Ok, so when d
Florian Weimer wrote:
> * Martin Schulze:
>
> > What was the behaviour pre-sarge?
> > What is the behaviour post-sarge (or rather in sarge)?
>
> Do you mean "before and after the upstream security update"? The
> terms pre-sarge/post-sarge do not make much sense to me in this
> context, I'm afrai
* Florian Weimer <[EMAIL PROTECTED]>:
> * Martin Schulze:
>
> > What was the behaviour pre-sarge?
> > What is the behaviour post-sarge (or rather in sarge)?
>
> Do you mean "before and after the upstream security update"? The
> terms pre-sarge/post-sarge do not make much sense to me in this
> c
* Martin Schulze:
> What was the behaviour pre-sarge?
> What is the behaviour post-sarge (or rather in sarge)?
Do you mean "before and after the upstream security update"? The
terms pre-sarge/post-sarge do not make much sense to me in this
context, I'm afraid.
> What do you think is the vulnera
Florian Weimer wrote:
> * Martin Schulze:
>
> > So a summary would be to leave the package as it is in sarge, right?
>
> Based on the facts, I reach the opposite conclusion. The upstream
> changes should be merged. However, since easy workarounds are
> possible, we might get away without code c
Florian Weimer wrote:
> As far as I understand it, from the perspective of the security team,
> it is not clear if the upstream change breaks existing user
> configurations. Users might rely on the current behavior and use it
> to deliberately weaken the filter policy. This is a reasonable
> ques
* Martin Schulze:
> So a summary would be to leave the package as it is in sarge, right?
Based on the facts, I reach the opposite conclusion. The upstream
changes should be merged. However, since easy workarounds are
possible, we might get away without code changes, if issuing the
update Lorenz
As far as I understand it, from the perspective of the security team,
it is not clear if the upstream change breaks existing user
configurations. Users might rely on the current behavior and use it
to deliberately weaken the filter policy. This is a reasonable
question because the existing docume
14 matches
Mail list logo
