On Sun, 1 Mar 2020, Emilio Pozuelo Monfort wrote:
I think we can all agree that the problem here is that there was an unexpected issue (a security upload getting rejected) that required sort of immediate work from a third party (an ftp-master).
I would like to add here, that the CVE in question is marked as no-dsa in Stretch and Buster, so I don't see that the term "immediate" is appropriate. And while I am at it, why aren't the other seven CVEs for zsh that are also marked as no-dsa solved as well?
Thorsten