[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of irssi?

Hi Rhonda,

The 2 CVEs that I marked as no DSA, security team did the same for
stretch: CVE-2017-10965 e CVE-2017-1066. Probably you are talking about
CVE-2017-5393 e CVE-2017-5394, maybe CVE-2017-5356. Those were marked as
no DSA by another member of the team (LTS and/or security), so I did not
intend to override someone else decision. If other members of the team
agree with that I can promptly prepare an upload for these issues
targeting Jessie and wheezy.

I am not here avoiding do things or trying to make your life difficult.
I am on your side. If I am able to do that I will.

Cheers,

On 2017-09-05 08:06, Rhonda D'Vine wrote:
> Hi,
> 
>  erm, those two are already in the stretch-proposed-updates, it
> shouldn't be much of a burden to carry that over to jessie and then
> wheezy.  If you really think of leaving those out while they are readily
> available this looks kinda strange to me, and is just wasted efford
> because I will have to push them there if you don't.
> 
>  So long,
> Rhonda
> 
> 
> * Lucas Kanashiro <kanashiro.duarte@gmail.com> [2017-09-04 18:54:45 CEST]:
>> Hi,
>>
>> After review the 4 CVEs [0] that affect irssi in wheezy I intend to follow
>> the Security Team and mark the CVE-2017-10965 and CVE-2017-10966 as no-DSA
>> and fix the another two, CVE-2017-9468 and CVE-2017-9469. I've prepared an
>> upload for wheezy-security based on the two patches provided by the
>> Security Team to fix the mentioned CVEs in jessie, the debdiff is attached.
>>
>> If someone has a different idea in mind share with me please.
>>
>> Cheers.
>>
>> [0] https://security-tracker.debian.org/tracker/source-package/irssi
>>
>>
>> 2017-08-31 8:02 GMT-03:00 Lucas Kanashiro <kanashiro.duarte@gmail.com>:
>>
>> > Hi Rhonda,
>> >
>> > Do not worry, I can handle that for you, wheezy and jessie. Should I send
>> > a debdiff to you for revision?
>> >
>> > Thanks for your fast reply.
>> >
>> > Cheers.
>> >
>> >
>> > Em 31 de ago de 2017 05:04, "Rhonda D'Vine" <rhonda@deb.at> escreveu:
>> >
>> >     Hi,
>> >
>> >  there is no update in jessie yet for that, and I try to do such things
>> > top-down.  I still believe that the priority should be on that instead
>> > of on the LTS release, but I understand that that doesn't get payment.
>> >
>> >  I'm still quite busy here, and the issue is not that big of one, but if
>> > you want to prepare an wheezy update before I can find the time to
>> > tackle it pretty please also do a jessie one right ahead too, otherwise
>> > it looks kinda skew and gives a false impression of your intentions.
>> >
>> >  Enjoy,
>> > Rhonda
>> >
>> >
>> > * Lucas Kanashiro <kanashiro.duarte@gmail.com> [2017-08-30 22:42:27 CEST]:
>> > > Hi all,
>> > >
>> > > Any news about this? Will maintainers take care of irssi CVEs in wheezy?
>> > >
>> > > As Antoine said, irssi is one of the packages in our radar. I will wait
>> > an
>> > > answer until the end of the week, otherwise I'll prepare an upload based
>> > on
>> > > patches in jessie and stretch.
>> > >
>> > > Cheers.
>> > >
>> > >
>> > > 2017-06-27 15:33 GMT-03:00 Antoine Beaupré <anarcat@orangeseeds.org>:
>> > >
>> > > > On 2017-06-09 10:22:37, Rhonda D'Vine wrote:
>> > > > >     Dear Ola,
>> > > > >
>> > > > >  this is on my board.  The issue isn't that pressing, and I want to
>> > fix
>> > > > > it for stretch and jessie too, and only do the update for wheezy
>> > after
>> > > > > those got approved (which I expect).  If it won't be approved for
>> > > > > stretch and jessie there is quite little sense to invest to fix it
>> > just
>> > > > > for wheezy. :)
>> > > > >
>> > > > >  At least it won't get tackled by the security team, so I don't see
>> > much
>> > > > > of a pressure that the LTS team should put it high on its priority,
>> > > > > there are probably more pressuring things to fix.
>> > > >
>> > > > Hi Rhonda!
>> > > >
>> > > > Just to let you know, it's not high priority, but it's still on our
>> > > > dashboard. :) LTS issues are prioritized by how many people have the
>> > > > affected packages installed, and irssi is one of the packages that have
>> > > > "votes". Considering it's a remote DOS, I still believe it's worth
>> > > > fixing.
>> > > >
>> > > > We are happy, of course, to wait for you to make the update if you
>> > still
>> > > > plan on doing so, now that updates trickled down in stretch/jessie. Do
>> > > > let us know, however, if you want the LTS team to take care of it for
>> > > > wheezy.
>> > > >
>> > > > Thanks!
>> > > >
>> > > > A.
>> > > >
>> > > > --
>> > > > La destruction de la société totalitaire marchande n'est pas une
>> > affaire
>> > > > d'opinion. Elle est une nécessité absolue dans un monde que l'on sait
>> > > > condamné. Puisque le pouvoir est partout, c'est partout et tout le
>> > temps
>> > > > qu'il faut le combattre. - Jean-François Brient, de la servitude
>> > moderne
>> > > >
>> > > >
>> > >
>> > >
>> > > --
>> > > Lucas Kanashiro
>> >
>> > --
>> > Fühlst du dich mutlos, fass endlich Mut, los      |
>> > Fühlst du dich hilflos, geh raus und hilf, los    | Wir sind Helden
>> > Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
>> > Fühlst du dich haltlos, such Halt und lass los    |
>> >
>> >
>> >
>>
>>
>> --
>> Lucas Kanashiro

-- 
Lucas Kanashiro
Reply to: