Re: [Pkg-mailman-hackers] Bug#358575: mailman 2.1.5-8sarge3: screwup between security and maintainer upload
On Thu, Sep 07, 2006 at 08:02:06PM +0200, Florian Weimer wrote:
> * Martin Schulze:
>> Imho, it's more useful to upload 2.1.5-8sarge4 and only bump the
>> version number to get the new version built for all architectures into
>> the archive.
> While you are at it, you could also include this patch:
> Log Message:
> CVE-2006-3636. Fixes for various cross-site scripting issues. Discovery by
> Moritz Naumann and most of the repair work done by Mark Sapiro (with some
> additional work by Barry).
As far as I understand the policy listed on
http://release.debian.org/stable/3.1/3.1r3/, this would require a
DSA. Does the security team plan on doing a DSA on this if I prepare a
package, or does the stable release team grant me an exception to the
policy to prepare -8sarge4 with this patch? If not, I'll prepare a
-8sarge4 without any change as authorised by Martin Zobel-Helas.
If I get an answer (CCed to firstname.lastname@example.org, not only to
email@example.com) within two hours, I'll
prepare a package today (Friday 8 September).