[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#956535: buster-pu: package php-horde-data/2.1.4-5+deb10u1

Control: tags -1 - moreinfo

Hi Adam,

On Sun, Apr 12, 2020 at 10:05:55PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
> 
> On Sun, 2020-04-12 at 09:23 -0400, Roberto C. Sanchez wrote:
> > Please find attached a proposed debdiff for php-horde-data.  The
> > change fixes CVE-2020-8518, which the security team has classified as
> > <no- dsa>, deeming it a minor issue which can be fixed via a point
> > release.
> 
> The Security Tracker indicates that this issue affects the package in
> unstable and is not yet fixed there; is that correct?

This is correct, the issue has not been fixed in unstable "yet". The
horde ecosystem is currently unmaintained, and previous maintainer
indicated to ask actually for removal if nobody steps up. See #942282
for context.

That said, it's possible to either wait for a fix in unstable or the
removal of the php-horde* packages first before accepting the upload
for a buster point release (same for the other updates proposed by
Roberto).

Does this make sense?

Regards,
Salvatore
Reply to: