[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#805127: marked as done (jessie-pu: package charybdis/3.4.2-4+b1)

Your message dated Sat, 23 Jan 2016 13:57:15 +0000
with message-id <1453557435.1835.52.camel@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #805127,
regarding jessie-pu: package charybdis/3.4.2-4+b1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
805127: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805127
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

Charybdis is unfortunately in very bad shape in stable right now. There
was an oversight during the release process that made this bug not
appear as release critical:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768339

Yet because of this bug, charybdis is basically unusable with TLS
enabled (which is the default). The error message is obscure and it is
unlikely that anyone can fix this problem on their own without having a
strong intuition.

I have therefore made a small upload for the package on sid. It fixes
that issue, but also a minor security vulnerability that was also
unfixed in jessie (and wheezy):

https://tracker.debian.org/news/725820

I have talked with the security team and they agree that a DSA is not
necessary because of the workaround (and the fact that charybdis is
broken anyways). The CVE has been marked as no-dsa by the team here:

https://security-tracker.debian.org/tracker/CVE-2015-5290

So i would like to upload the -5 release to stable (jessie) directly. I
attached the debdiff between -4 and -5 to this mail.

Since upstream is not maintaining 3.3 anymore and the upgrade is
transparent, i would also suggest that -5 is uploaded to wheezy as well,
but i understand that would be quite a stretch (no pun intended).

Wheezy, as far as i know, is not affected by #768339 so is more stable,
but it *is* affected by the security vulnerability. The patch I
cherry-picked for -5 *seems* to apply to the wheezy version, but i don't
have an environment to test this right now.

Thanks for any feedback.

A.

-- System Information:
Debian Release: 8.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---
--- Begin Message --- 
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam

--- End Message ---
Reply to: