On Wed, Mar 28, 2007 at 04:03:09AM -0700, Steve Langasek wrote: > On Wed, Mar 28, 2007 at 10:47:04AM +0000, Florian Ernst wrote: > > blender (2.42a-5etch1) testing-proposed-updates; urgency=high > > . > > * Upload to t-p-u after talking to the security team > > * Security: No longer ship the kmz_ImportWithMesh.py script since it allows > > user-assisted remote attackers to execute arbitrary Python code by > > importing a crafted (1) KML or (2) KMZ file [CVE-2007-1253]. > > Uhm? I just saw Moritz quoted as saying: > > > The change in question would warrant a DSA, so I'm quite sure it will > > get accepted if it only contains the change below. It's easily reviewable > > and fixes a genuine security problem. Right. And a few lines above this: | On Tue, Mar 27, 2007 at 09:50:16PM +0200, Moritz Muehlenhoff wrote: | > Florian Ernst wrote: | > | > > > Can you make an etch upload with only the removal of the buggy script? | > > ^^^^ | > > Just for clarity's sake, you mean uploading to testing-proposed-updates? | > | > Yes. > If it warrants a DSA, why was this not uploaded to testing-security instead > of testing-proposed-updates? Moritz, did you actually mean testing-security instead of t-p-u? If so I probably didn't express myself clearly enough ... :/ Well, my aim as a maintainer is to get this fix into Etch. When approaching d-release about this I was referred to security, while security asked me to upload to t-p-u, or at least so I understood and tried to clarify. Please, how to best proceed from here? Cheers, Flo PS: I'm subscribed to d-release.
Attachment:
signature.asc
Description: Digital signature