Hi Markus, On Thu, May 12, 2016 at 08:31:46PM +0200, Markus Koschany wrote: > > do you plan to also fix it in unstable? (and jessie…?) > Yes, I intend to lend the Security Team a hand with a stable update as > usual. cool! :) > Moreover I tested the new version by using the public exploit for this > issue, I also executed and investigated upstream's test suite and used > the usermode package to create, delete and modify user accounts. All in > all this made my confident enough to release this fix ASAP. cool! > I would recommend to upgrade to the latest upstream release in unstable. me too. I was even thinking about doing so with an NMU but then I looked at the upstream changes and they now also support python3, so updating the package for 0.62 is not completly trivial. https://fedorahosted.org/libuser/browser/NEWS?rev=libuser-0.62 > But given that the package is unmaintained and basically abandoned I > would remove it from Debian rather sooner than later and it seems the > Security Team agrees. > https://bugs.debian.org/818238 that bug misses on important bit: mock uses usermode, so removal of libuser would also result in removal of mock, which would be very unfortunate. -- cheers, Holger
Attachment:
signature.asc
Description: Digital signature