On 15.01.2012 20:39, Nicholas Bamber wrote:
unstable/testing [CVE-2012-0024, CVE-2011-5055]: This was fixed in 1.4.09-1 but Sam has issued one further release, 1.4.10 with a lasttweak. For this version all the three CVE tickets are fundamentally thesame issue. stable [CVE-2012-0024, CVE-2011-5055]: I previously sent a debdiff. I need to issue a new one.
[...]
I am not sure what to do now apart from issuing 1.4.10-1. Do I raise newbug reports?
Based on the above, I'd suggest, in order: - update unstable, ensuring that all relevant bugs are fixed there- confirm with the security team that they don't wish to issue a fix for CVE-2011-5055 directly, if you haven't already done so (I suspect they won't, but the security tracker doesn't indicate that right now, so it's worth checking)
- assuming a nack from the security team, prepare an updated package from stable and send the new debdiff to this thread
Does that sound reasonable? Regards, Adam