Control: tags -1 + moreinfo On 2015-09-03 15:44, Laurent Destailleur (eldy) wrote:
A security error CVE-2015-3935 was reported for Dolibarr ERP CRM package. This bug is fixed into official package 3.5.7 of Dolibarr. Package 3.5.7 is a maintenance release compared to 3.5.5 and contains only fixes. But not only bugs reported to debian, it includes also other fixes (but they are all related to stability or security). I think it is a better solution to validate this maintenance release based on the new upstream version of Dolibarr than applying a patch of the only CVE-2015-3935.
[...]
So I just need to know if it's ok to push such a version 3.5.7 (fixes for 3.5.* branch) instead of only one fix for only the few (the only) reported debian bugs, since it provides more stability and is or me a more secured process.
Certainly not whilst neither the CVE fix nor 3.5.7 are in unstable (which still has 3.5.5 without the fix, afaict).
Regards, Adam