Re: Wheezy update of spamassassin?
On 2018-09-19 19:16:32, Noah Meyerhans wrote:
> On Wed, Sep 19, 2018 at 08:26:28PM +0200, Ola Lundqvist wrote:
>> The Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of spamassassin:
>> https://security-tracker.debian.org/tracker/CVE-2018-11780
>> https://security-tracker.debian.org/tracker/CVE-2018-11781
>> https://security-tracker.debian.org/tracker/CVE-2018-15705
>>
>> Would you like to take care of this yourself?
>
> It's not yet clear how these will even be fixed in stretch, so it may be
> premature to think about wheezy.
>
> At the moment, upstream is advocating strongly for us to move to the
> newly released 3.4.2 upstream version in our stable branches. We're
> considering it, in part because upstream isn't providing a discrete set
> of patches to address the security issues.
>
> I will keep you informed (or worst case, you'll learn via
> debian-security-announce) as to the status of fixes for stable and LTS.
It would make sense to package 3.4.2 everywhere to me, considering it's
a minor point release. Unfortunately, it seems they bundle quite a bit
of stuff in their point release... :/
In the meantime, I'll make a note in the LTS process to hold off while
we figure this out.
In any case, I'd be happy to help with updates to any suite, since it
will likely be the same across all suites.
A.
--
There are two ways of constructing a software design: One way is to
make it so simple that there are obviously no deficiencies, and the
other way is to make it so complicated that there are no obvious
deficiencies. The first method is far more difficult.
- C.A.R. Hoare
Reply to: