Bug#772468: unblock: (pre-approval) libspring-java/3.2.12-1

2015-02-03 Thread Emmanuel Bourg
Control: tags -1 - moreinfo Le 30/12/2014 15:12, Emmanuel Bourg a écrit : > Maybe we could let the version 3.2 enter unstable and be exposed to more > tests for a couple of weeks before we decide to either ignore or accept > it for Jessie? I already verified that the reverse dependencies build >

Bug#772468: unblock: (pre-approval) libspring-java/3.2.12-1

2014-12-30 Thread Emmanuel Bourg
Le 30/12/2014 00:29, Jonathan Wiltshire a écrit : > I certainly can't review a diff of this size. Out of our usual other > options, it sounds like you can't isolate targetted fixes, and removal > would impact a large number of dependent packages. > > Do you have any other suggestions? Maybe we c

Bug#772468: unblock: (pre-approval) libspring-java/3.2.12-1

2014-12-29 Thread Jonathan Wiltshire
On Fri, Dec 19, 2014 at 02:12:31AM +0100, Emmanuel Bourg wrote: > Le 19/12/2014 01:00, Jonathan Wiltshire a écrit : > > > Ok, I did some digging. CVE-2014-3578 seems to be unknown to some sources > > including NVD. Considering they are both meant to be directory traversal, > > I would guess it was

Bug#772468: unblock: (pre-approval) libspring-java/3.2.12-1

2014-12-18 Thread Emmanuel Bourg
Le 19/12/2014 01:00, Jonathan Wiltshire a écrit : > Ok, I did some digging. CVE-2014-3578 seems to be unknown to some sources > including NVD. Considering they are both meant to be directory traversal, > I would guess it was a duplicate assignment; let's ignore it for now. > > That leaves CVE-201

Bug#772468: unblock: (pre-approval) libspring-java/3.2.12-1

2014-12-18 Thread Jonathan Wiltshire
On Sun, Dec 07, 2014 at 03:56:33PM +0100, Emmanuel Bourg wrote: > Please unblock package libspring-java. This package is affected by two > security issues: CVE-2014-3578 (#760733) and CVE-2014-3625 (#769698). > The fix for CVE-2014-3578 is unknown and can't be backported, the only > solution left t

Bug#772468: unblock: (pre-approval) libspring-java/3.2.12-1

2014-12-17 Thread Emmanuel Bourg
Le 17/12/2014 21:10, Jonathan Wiltshire a écrit : > Can you make targetted bug fixes instead? I can't unfortunately, the actual fix is unknown. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#772468: unblock: (pre-approval) libspring-java/3.2.12-1

2014-12-17 Thread Jonathan Wiltshire
Control: tag -1 moreinfo On Sun, Dec 07, 2014 at 03:56:33PM +0100, Emmanuel Bourg wrote: > Compared to the version 3.0.x the build system was switched from Maven > to Gradle and the source layout has been reorganized. This results in a > debdiff impossible to review (70M uncompressed, 1.7M lines),

Bug#772468: unblock: (pre-approval) libspring-java/3.2.12-1

2014-12-07 Thread Emmanuel Bourg
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libspring-java. This package is affected by two security issues: CVE-2014-3578 (#760733) and CVE-2014-3625 (#769698). The fix for CVE-2014-3578 is unknown and can't be