[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: spamassassin security update in Debian jessie LTS


Spamassassin (and a few other packages) are handled a little differently compared to most packages in Debian.

I'd advise that we go for the latest release. The only reason I see why we would not, would be if we introduce some major backwards compatibility issue.

// Ola

On Fri, 31 Jan 2020 at 19:14, Noah Meyerhans <noahm@debian.org> wrote:
On Fri, Jan 31, 2020 at 05:16:53PM +0100, Matus UHLAR - fantomas wrote:
> > and as spamassassin has been upstream version bumped in Debian jessie
> > LTS before, I am asking for your opinion, if you'd rather recommend
> > cherry-picking the fixes (which I haven't been able to identify yet in
> > upstream SVN) or simply upstream version bump spamassassin in jessie LTS
> > once more.
> >
> > @LTS team: sharing your feedback / opinions will be much appreciated, too.
> ... and I discussed this with some people on spamassassin mailing list.
> quoting one mail[1]:
> Key to the issue is I fail to see how the highly intrusive security work
> done for 3.4.3 can possibly be backported.
> My recommendation remains a strong: upgrade to 3.4.4.

That's always their recommendation.  Yet the fixes for the current CVEs
amount to less than 100 lines of diff against 3.4.3, including context.

I haven't looked into applying these changes to 3.4.2.  If somebody
wants to take this on, they're at





 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

Reply to: