[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Final polishing of the KDE 3.3 transition

#>   we'll go with lowering to 'important', with an attached explanation.

#285128: kdelibs: CAN-2004-1165: FTP command injection bug
severity 285128 important

#286516: kdebase: CAN-2004-1158: Konqueror Window Injection Vuln.
severity 286516 important

#286521: kdelibs: CAN-2004-1145: Konqueror Java Vulnerability
severity 286521 important

thanks mate, see you again after the transition

  In agreement with the Release Team, I'm downgrading the severity of
  the above three security bugs in KDE to important, so that KDE 3.3 can
  enter sarge. See this thread [1] for more info.

    [1] http://lists.debian.org/debian-release/2005/01/msg00004.html

  The severity will be restored right after the transition, and uploads
  to sid will shortly follow. Just to say what is going to happen:
  kdebase 3.3.1-4 will be uploaded first (along with a arts 1.3.2-2, not
  security related). While buildds churn these two, a kdelibs 3.3.2-1
  upload to sid will be prepared, and uploaded as soon as kdebase+arts
  is built in all arches.

  We need to upload kdelibs 3.3.2 since the fix for CAN-2004-1145 (the
  Java Vulnerability) is not easily backportable to 3.3.1. Having
  kdelibs 3.3.2 with the rest of packages being at 3.3.1 is a safe mix;
  in any case, we will test prior to uploading and the urgency won't be
  set to high.


Adeodato Simó
    EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
    Listening to: 10,000 Maniacs - don't talk
Don't worry about what anybody else is going to do. The best way to
predict the future is to invent it.
                -- Alan Kay

Reply to: