Bug#805127: jessie-pu: package charybdis/3.4.2-4+b1
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
Charybdis is unfortunately in very bad shape in stable right now. There
was an oversight during the release process that made this bug not
appear as release critical:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768339
Yet because of this bug, charybdis is basically unusable with TLS
enabled (which is the default). The error message is obscure and it is
unlikely that anyone can fix this problem on their own without having a
strong intuition.
I have therefore made a small upload for the package on sid. It fixes
that issue, but also a minor security vulnerability that was also
unfixed in jessie (and wheezy):
https://tracker.debian.org/news/725820
I have talked with the security team and they agree that a DSA is not
necessary because of the workaround (and the fact that charybdis is
broken anyways). The CVE has been marked as no-dsa by the team here:
https://security-tracker.debian.org/tracker/CVE-2015-5290
So i would like to upload the -5 release to stable (jessie) directly. I
attached the debdiff between -4 and -5 to this mail.
Since upstream is not maintaining 3.3 anymore and the upgrade is
transparent, i would also suggest that -5 is uploaded to wheezy as well,
but i understand that would be quite a stretch (no pun intended).
Wheezy, as far as i know, is not affected by #768339 so is more stable,
but it *is* affected by the security vulnerability. The patch I
cherry-picked for -5 *seems* to apply to the wheezy version, but i don't
have an environment to test this right now.
Thanks for any feedback.
A.
-- System Information:
Debian Release: 8.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Reply to: