Re: Drop support for libqb?
On Fri, Nov 15, 2019 at 02:56:31PM +0100, Emilio Pozuelo Monfort wrote:
> On 14/11/2019 19:51, Roberto C. Sánchez wrote:
>
> > - Any feedback on this proposed DLA text?
> >
> > Package : debian-security-support
> > Version : 2019.11.15~deb8u1
> >
> >
> > debian-security-support, the Debian security support coverage checker,
> > has been updated in jessie.
> >
> > This marks the end of life of the libqb package in jessie. A recently
> > reported vulnerability against libqb which allows users to overwrite
> > arbitrary files via a symlink attack cannot be adequately addressed in
> > libqb in jessie. Upstream no longer supports this version and no
> > packages in jessie depend upon libqb, thus making it a leaf package.
> >
> > We recommend that if your systems or applications depend upon the libqb
> > package provided from the Debian archive that you upgrade your systems
> > to a more recent Debian release or find an alternate and up to date
> > source of libqb packages.
>
> Looks fine to me. I have also noticed that we didn't get a
> debian-security-support update for the mysql-5.5 EOL, so if you can add a
> paragraph about it in the announcement (the changes to the
> debian-security-support were already there) that'd be great. Something such as:
>
> In addition to that, MySQL 5.5 is no longer supported as upstream ended its
> support and we are unable to backport fixes from newer versions due to the lack
> of patch details. Options are to switch to MariaDB 10.0 in jessie or to a newer
> version in more recent Debian releases.
>
I'll definitely add that.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: