Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1057: postgresql-10, postgresql-9.6, postgresql-9.4, postgresql-9.1

To: Brian May <bam@debian.org>
Cc: debian-lts@lists.debian.org
Subject: Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1057: postgresql-10, postgresql-9.6, postgresql-9.4, postgresql-9.1
From: Christoph Berg <myon@debian.org>
Date: Wed, 7 Mar 2018 09:16:31 +0100
Message-id: <[🔎] 20180307081631.GA14996@msg.df7cb.de>
Mail-followup-to: Christoph Berg <myon@debian.org>, Brian May <bam@debian.org>, debian-lts@lists.debian.org
In-reply-to: <[🔎] 87a7vk9yhn.fsf@prune.linuxpenguins.xyz>
References: <5a95778a8ead3_5ea2ac7899733f04189c4@godard.mail> <[🔎] 87tvtva5r4.fsf@prune.linuxpenguins.xyz> <[🔎] 20180306091123.GA2175@msg.df7cb.de> <[🔎] 87a7vk9yhn.fsf@prune.linuxpenguins.xyz>

Re: Brian May 2018-03-07 <[🔎] 87a7vk9yhn.fsf@prune.linuxpenguins.xyz>
> > jessie's postgresql-9.1 package is shipping a single binary package
> > only, postgresql-plperl-9.1. (Check the jessie release notes for the
> > rationale.) plperl is not affected by the changes as far as I can tell
> > by inspecting src/pl/plperl's git log.
> 
> Ok, I understand now. So this doesn't apply to wheezy, only Jessie.

We've done that keep-plperl-around-for-upgrades dance a few times in
the past, but dropped it for stretch, as the extra effort didn't seem
worth it, given upgrading works even if oldpg-plperl.deb is
uninstalled.

> > I don't plan to work on a 9.1 LTS release; the changed were deemed
> > below the radar by the Debian Security team, and wheezy's EOL is just
> > around the corner.
> 
> Yes, as the other versions were marked no-dsa, might be best just to
> mark it as no-dsa for wheezy too.
> 
> Any objections if do this?

Please go ahead.

Thanks,
Christoph

Reply to:

References:
- Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1057: postgresql-10, postgresql-9.6, postgresql-9.4, postgresql-9.1
  - From: Brian May <bam@debian.org>
- Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1057: postgresql-10, postgresql-9.6, postgresql-9.4, postgresql-9.1
  - From: Christoph Berg <myon@debian.org>
- Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1057: postgresql-10, postgresql-9.6, postgresql-9.4, postgresql-9.1
  - From: Brian May <bam@debian.org>

Prev by Date: Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1057: postgresql-10, postgresql-9.6, postgresql-9.4, postgresql-9.1
Next by Date: Don't upload LTS versions without plan for (old)stable too (was: Re: Wheezy update of irssi?)
Previous by thread: Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1057: postgresql-10, postgresql-9.6, postgresql-9.4, postgresql-9.1
Next by thread: Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 3 commits: swap links2 bug back, new elinks bug
Index(es):
- Date
- Thread