Hello, Am 01.07.20 um 17:50 schrieb Utkarsh Gupta: [...] > > Right now, this package has been claimed in dla-needed.txt by Markus > and in dsa-needed.txt by jmm. > Although I think jmm is working on Stretch and Markus is working on > Jessie. But to be very explicit (since explicit is better than > implicit :)), I am going to move the package from dla-needed.txt to > ela-needed.txt (since it's listed in packages-to-support and since > Jessie is now ELTS!). > This will indeed make sure that there is no clash of work. > > Please shout back if I should not. Thanks for being proactive. Actually I am working on Jessie and Stretch. Imagemagick in oldstable has never received any attention from the maintainers, thus I wonder why this is the case now when the switch to LTS is imminent. There are 60 open or ignored CVE in Stretch. Do the maintainers of imagemagick intend to fix them all? > 2. squid3/oldstable > > Right now, this package has been claimed in dla-needed.txt by Markus > and by no one in dsa-needed.txt. > Now, this is an interesting part. > squid3 is not supported in Jessie ELTS. So we just want to fix it for > Stretch. This means that it'd be very nice if Markus can work on > oldstable DSA instead. > This also means that I am considering to drop it from dla-needed > (because it doesn't make sense to have it there anymore!?). > > Please really should back if I should not. The update is ready. There is a new CVE, CVE-2020-15049, but it can be postponed for now. That should not stall the release. I wanted to send an request for testing to debian-lts due to the many changes in the code base. The same version can be used for Jessie and Stretch. I would keep squid3 in dla-needed.txt since the update is relevant for Stretch. Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature