SpamAssassin 3.1.8 will be released shortly with a fix for CVE-2007-0451, among other changes. What I'd like to know is whether I should build a 3.1.7 package with the backported security fix, or whether I should upload 3.1.8 to unstable and ask that it be propogated to testing. What are the guidelines in this area? Here's a summary of the changes from 3.1.7 to 3.1.8: 3.1.8 is a major bug-fix release, including the following issues: - bug 5318: set a maximum internal length for URIs - bug 5240: disable perl module usage in update channels unless --allowplugins is specified - bug 5288: files with names starting/ending in whitespace weren't usable - bug 5056: remove Text::Wrap related code due to upstream issues - bug 5145: update spamassassin and sa-learn to better deal with STDIN - bug 5140 and 5179: improvements and bug fixes related to DomainKeys and DKIM support - several updates for Received header parsing - several documentation updates and random taint-variable related issues If a backport is needed, do I upload 3.1.8 to unstable and then 3.1.7-2 to t-p-u or is it better to upload 3.1.7-2 and wait for it to propogate before uploading 3.1.8. Thanks, -- Duncan Findlay
Attachment:
pgpWWxW1J48nK.pgp
Description: PGP signature