Re: Wheezy update of irssi?
Dear Lucas,
maybe you should look into the git repository of the package instead of
assuming what I might mean. Because like written, I specificly mean
CVE-2017-10965 and CVE-2017-10966 which are fixed in the package that I
uploaded to stretch-proposed and was approved (see #870659). It is also
found in the corresponding bugreport for those IDs (#867598).
So, no, I'm not "probably talking about CVE-2017-5393 e CVE-2017-5394".
In case you don't find it through the package metadata, the link to the
git commitdiff is here:
http://git.deb.at/w/pkg/irssi.git/commitdiff/41f84e8
Enjoy,
Rhonda
* Lucas Kanashiro <kanashiro@debian.org> [2017-09-05 13:44:29 CEST]:
> Hi Rhonda,
>
> The 2 CVEs that I marked as no DSA, security team did the same for
> stretch: CVE-2017-10965 e CVE-2017-1066. Probably you are talking about
> CVE-2017-5393 e CVE-2017-5394, maybe CVE-2017-5356. Those were marked as
> no DSA by another member of the team (LTS and/or security), so I did not
> intend to override someone else decision. If other members of the team
> agree with that I can promptly prepare an upload for these issues
> targeting Jessie and wheezy.
>
> I am not here avoiding do things or trying to make your life difficult.
> I am on your side. If I am able to do that I will.
>
> Cheers,
>
> On 2017-09-05 08:06, Rhonda D'Vine wrote:
> > Hi,
> >
> > erm, those two are already in the stretch-proposed-updates, it
> > shouldn't be much of a burden to carry that over to jessie and then
> > wheezy. If you really think of leaving those out while they are readily
> > available this looks kinda strange to me, and is just wasted efford
> > because I will have to push them there if you don't.
> >
> > So long,
> > Rhonda
> >
> >
> > * Lucas Kanashiro <kanashiro.duarte@gmail.com> [2017-09-04 18:54:45 CEST]:
> >> Hi,
> >>
> >> After review the 4 CVEs [0] that affect irssi in wheezy I intend to follow
> >> the Security Team and mark the CVE-2017-10965 and CVE-2017-10966 as no-DSA
> >> and fix the another two, CVE-2017-9468 and CVE-2017-9469. I've prepared an
> >> upload for wheezy-security based on the two patches provided by the
> >> Security Team to fix the mentioned CVEs in jessie, the debdiff is attached.
> >>
> >> If someone has a different idea in mind share with me please.
> >>
> >> Cheers.
> >>
> >> [0] https://security-tracker.debian.org/tracker/source-package/irssi
> >>
> >>
> >> 2017-08-31 8:02 GMT-03:00 Lucas Kanashiro <kanashiro.duarte@gmail.com>:
> >>
> >> > Hi Rhonda,
> >> >
> >> > Do not worry, I can handle that for you, wheezy and jessie. Should I send
> >> > a debdiff to you for revision?
> >> >
> >> > Thanks for your fast reply.
> >> >
> >> > Cheers.
> >> >
> >> >
> >> > Em 31 de ago de 2017 05:04, "Rhonda D'Vine" <rhonda@deb.at> escreveu:
> >> >
> >> > Hi,
> >> >
> >> > there is no update in jessie yet for that, and I try to do such things
> >> > top-down. I still believe that the priority should be on that instead
> >> > of on the LTS release, but I understand that that doesn't get payment.
> >> >
> >> > I'm still quite busy here, and the issue is not that big of one, but if
> >> > you want to prepare an wheezy update before I can find the time to
> >> > tackle it pretty please also do a jessie one right ahead too, otherwise
> >> > it looks kinda skew and gives a false impression of your intentions.
> >> >
> >> > Enjoy,
> >> > Rhonda
> >> >
> >> >
> >> > * Lucas Kanashiro <kanashiro.duarte@gmail.com> [2017-08-30 22:42:27 CEST]:
> >> > > Hi all,
> >> > >
> >> > > Any news about this? Will maintainers take care of irssi CVEs in wheezy?
> >> > >
> >> > > As Antoine said, irssi is one of the packages in our radar. I will wait
> >> > an
> >> > > answer until the end of the week, otherwise I'll prepare an upload based
> >> > on
> >> > > patches in jessie and stretch.
> >> > >
> >> > > Cheers.
> >> > >
> >> > >
> >> > > 2017-06-27 15:33 GMT-03:00 Antoine Beaupré <anarcat@orangeseeds.org>:
> >> > >
> >> > > > On 2017-06-09 10:22:37, Rhonda D'Vine wrote:
> >> > > > > Dear Ola,
> >> > > > >
> >> > > > > this is on my board. The issue isn't that pressing, and I want to
> >> > fix
> >> > > > > it for stretch and jessie too, and only do the update for wheezy
> >> > after
> >> > > > > those got approved (which I expect). If it won't be approved for
> >> > > > > stretch and jessie there is quite little sense to invest to fix it
> >> > just
> >> > > > > for wheezy. :)
> >> > > > >
> >> > > > > At least it won't get tackled by the security team, so I don't see
> >> > much
> >> > > > > of a pressure that the LTS team should put it high on its priority,
> >> > > > > there are probably more pressuring things to fix.
> >> > > >
> >> > > > Hi Rhonda!
> >> > > >
> >> > > > Just to let you know, it's not high priority, but it's still on our
> >> > > > dashboard. :) LTS issues are prioritized by how many people have the
> >> > > > affected packages installed, and irssi is one of the packages that have
> >> > > > "votes". Considering it's a remote DOS, I still believe it's worth
> >> > > > fixing.
> >> > > >
> >> > > > We are happy, of course, to wait for you to make the update if you
> >> > still
> >> > > > plan on doing so, now that updates trickled down in stretch/jessie. Do
> >> > > > let us know, however, if you want the LTS team to take care of it for
> >> > > > wheezy.
> >> > > >
> >> > > > Thanks!
> >> > > >
> >> > > > A.
> >> > > >
--
Fühlst du dich mutlos, fass endlich Mut, los |
Fühlst du dich hilflos, geh raus und hilf, los | Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los |
Reply to: