Re: spamassassin security update in Debian jessie LTS

To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Cc: Salvatore Bonaccorso <carnil@debian.org>, Ola Lundqvist <ola@inguza.com>, Debian LTS <debian-lts@lists.debian.org>, team@security.debian.org
Subject: Re: spamassassin security update in Debian jessie LTS
From: Noah Meyerhans <noahm@debian.org>
Date: Mon, 3 Feb 2020 14:00:56 -0500
Message-id: <[🔎] 20200203190056.GA21136@morgul.net>
In-reply-to: <[🔎] 20200201152809.Horde.8a5wMLNVImG4xLo9vwgoDSy@mail.das-netzwerkteam.de>
References: <20200131143151.Horde.6A5QXoCFCFQKLH0XEP9--G5@mail.das-netzwerkteam.de> <20200131161653.GA25100@fantomas.sk> <20200131180407.GA5692@morgul.net> <CABY6=0n==B=_hh6aXOYRt3XLoTbGFy7Onfh0V0oXigDa12cLgA@mail.gmail.com> <20200131220105.Horde.wNUzt9zY2x5AlTm4v3gICYG@mail.das-netzwerkteam.de> <[🔎] 20200201130136.GA1075478@eldamar.local> <[🔎] 20200201152809.Horde.8a5wMLNVImG4xLo9vwgoDSy@mail.das-netzwerkteam.de>

On Sat, Feb 01, 2020 at 03:28:09PM +0000, Mike Gabriel wrote:
> So, I'd like to play the ball back to Noah. Do you think, that applying the
> security patches is sufficient for spamassassin in stretch/buster? Or have
> their been so many other fixes(TM) that justify an upstream backport to
> jessie/stretch/buster.

Fixes for the current CVEs are not difficult, and I should be able to
make an LTS upload soonish.  See
https://salsa.debian.org/debian/spamassassin/tree/jessie-security

> Esp. I am thinking about future compatibilitiy with (upstream'ish) ruleset
> updates when those are performed on a Debian (old(old))stable system using
> sa-update.

The big concern would be upstream dropping support for SHA1 signatures
on rules updates.  However, since jessie has already been updated to
3.4.2, that should not be an issue.  Other changes are *mostly* gated on
plugin availability.  You may end up unable to take advantage of new
rules added via sa-update, but you won't necessarily break.

If you want new plugins to be available, then IMO you should probably be
making use of the backports repositories rather than security updates.

> For jessie, I will follow what Noah will be doing in stretch+buster, then.
> Valid point. Thanks for bringing it up again, Salvatore.

If you'd like to make a jessie upload based on that's in the
jessie-security branch on salsa, please be my guest.

noah

Reply to:

References:
- Re: spamassassin security update in Debian jessie LTS
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: spamassassin security update in Debian jessie LTS
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Prev by Date: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Next by Date: Re: Triage advice for CVE-2020-8492
Previous by thread: Re: spamassassin security update in Debian jessie LTS
Next by thread: LTS/ELTS Report for January 2020
Index(es):
- Date
- Thread