[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#358575: mailman 2.1.5-8sarge3: screwup between security and maintainer upload

On Fri, Sep 08, 2006 at 05:03:06PM +0200, Lionel Elie Mamane wrote:
> On Thu, Sep 07, 2006 at 08:02:06PM +0200, Florian Weimer wrote:
>> * Martin Schulze:

>>> Imho, it's more useful to upload 2.1.5-8sarge4 and only bump the
>>> version number to get the new version built for all architectures into
>>> the archive.

>> While you are at it, you could also include this patch:

>> CVE-2006-3636.  Fixes for various cross-site scripting issues.  Discovery by
>> Moritz Naumann and most of the repair work done by Mark Sapiro (with some
>> additional work by Barry).

> As far as I understand the policy listed on
> http://release.debian.org/stable/3.1/3.1r3/, this would require a
> DSA. Does the security team plan on doing a DSA on this if I prepare a
> package, or does the stable release team grant me an exception to the
> policy to prepare -8sarge4 with this patch?

> If I get an answer (CCed to lionel@mamane.lu, not only to
> pkg-mailman-hackers@lists.alioth.debian.org) within two hours, I'll
> prepare a package today (Friday 8 September).

I must go away now, but I've prepared packages for a security update;
they are at http://people.debian.org/~lmamane/mailman/ .


Reply to: