On Mar/09, Holger Levsen wrote: > Dear security team, > > On Thu, Mar 09, 2017 at 07:20:40PM +0000, Adam D. Barratt wrote: > > On Thu, 2017-03-02 at 09:50 +0000, Holger Levsen wrote: > > > On Thu, Mar 02, 2017 at 09:12:34AM +0100, Petter Reinholdtsen wrote: > > > > Usertags: pu > > > > > > > > The sitesummary package in stable is affected by one RC bug causing all > > > > clients to fail to submit data to the collector, and thus breaking the > > > > service SiteSummary is supposed to provide (collect data about > > > > machines). The problem is triggered by the recent update of Apache. > > > [...] > > > > I would like to update the stable version of sitesummary to fix this > > > > bug. It affect Debian Edu, but also all other users of SiteSummary in > > > > Jessie. Are you OK with me uploading a package with this change? How > > > > quickly is it possible to get this change into Jessie? > > > > > > (this would normally take severeal weeks or months, until the next jessie > > > point release will happen, which AFAIK is not yet planned. IOW: date is unknown.) > > > > > > as this regression was introduced by DSA-3796, wouldnt it be appropriate to > > > update sitesummary via jessie-security as well? > > > > Have either of you asked the Security Team about that? > > no, we haven't yet. > > So, #852623 is about sitesummary being broken due to the fix for CVE-2016-8743 > and while #852623 has been fixed in sid and stretch, we would also like to fix > #852623 in sitesummary in jessie and stable. > > So at first, we thought to go via proposed-updates, but as you can see Adam > suggested to go via stable-security (and LTS I supose) - what do you think? > > Going via security would be much nicer as this would fix this in the real > world much sooner…! Sure, we can do that. Send us a debdiff and we can take it from there. Cheers, --Seb
Attachment:
signature.asc
Description: PGP signature