[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Security updates to wheezy-backports vs. -sloppy

openssh/wheezy-backports needs to be updated for recent CVEs which were
fixed in 1:7.1p2-1.  I can upload a straightforward backport of
1:7.1p2-1 since it's now in testing, but this is newer than the version
in stable so it would have to go to wheezy-backports-sloppy.  (There are
also a few older CVEs from the 6.9 era which should be fixed, and these
have the same problem.)

Can somebody confirm that the correct procedure for this would be as

 * upload 1:6.7p1-5~bpo70+1 to wheezy-backports, based on 1:6.7p1-5 in
   jessie but with the addition of cherry-picked patches to fix security
 * upload 1:7.1p2-1~bpo7+1 to wheezy-backports-sloppy and
   1:7.1p2-1~bpo8-1 to jessie-backports (not required, but I'd like to
   support this)

Mainly I just want to confirm that it's OK to cherry-pick security
patches in this way, rather than the alternative of telling
wheezy-backports users that they have to use wheezy-backports-sloppy to
get security fixes.


Colin Watson                                       [cjwatson@debian.org]

Reply to: