Hi (especially Ola), El 08/04/24 a las 13:59, Sylvain Beucler escribió: > Hi, > > I think this requires a bit of coordination: > - the package is basically dead upstream, there hasn't been a fix in the > official repos, neither Debian or other distros attempted to fix them The only "exception" seems to be Fedora. They have packaged r1909 and have patches for some (eight) CVEs on top of that: https://src.fedoraproject.org/rpms/freeimage/tree/f40 I haven't checked if they are backportable to 3.18 nor 3.17. Ola, could you please take a look if they could help? > - we do have a sponsor for LTS and ELTS/stretch, so we're paid to take care > of this package > - secteam usually sets unimportant/low/high severity, not us > > So I wonder if this package is still supportable. I'd suggest you sync with > LTS Coordinator to see if we should invest time in fixing the issues > ourselves, or drop the package from debian-security-support. Before considering dropping its support, I would suggest to at least contact upstream one more time to query about its status, to see if they are interested in officially releasing 3.19, and why not, reporting the missing reports in their bug tracker as Mortiz has suggested. Also, there are some reverse dependencies to be taken into account. [snip] Cheers, -- Santiago
Attachment:
signature.asc
Description: PGP signature