Hi Holger, Am 12.05.2016 um 18:12 schrieb Holger Levsen: [...] > do you plan to also fix it in unstable? (and jessie…?) Yes, I intend to lend the Security Team a hand with a stable update as usual. > I think there should be the general rule to always fix things in > unstable first, even if this requires an NMU by the LTS team. I also > thought we agreed on this previously, but I might be wrong here. We > certainly discussed this before… I believe there should be no general rule that requires a security fix in unstable first. It should always be a matter of discretion. To fix something in unstable makes sense if the same version exists in multiple Debian releases. For an update in Jessie this may be a good approach. However the version in Wheezy required more changes and this is not the same patch I would apply for Jessie. So it is quite likely that a user in unstable/testing wouldn't find a possible regression in Wheezy. Moreover I tested the new version by using the public exploit for this issue, I also executed and investigated upstream's test suite and used the usermode package to create, delete and modify user accounts. All in all this made my confident enough to release this fix ASAP. I would recommend to upgrade to the latest upstream release in unstable. But given that the package is unmaintained and basically abandoned I would remove it from Debian rather sooner than later and it seems the Security Team agrees. https://bugs.debian.org/818238 Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature