Bug#956535: buster-pu: package php-horde-data/2.1.4-5+deb10u1
On Tue, Apr 14, 2020 at 10:04:00PM +0200, Salvatore Bonaccorso wrote:
> Control: tags -1 - moreinfo
>
> Hi Adam,
>
> On Sun, Apr 12, 2020 at 10:05:55PM +0100, Adam D. Barratt wrote:
> > Control: tags -1 + moreinfo
> >
> > On Sun, 2020-04-12 at 09:23 -0400, Roberto C. Sanchez wrote:
> > > Please find attached a proposed debdiff for php-horde-data. The
> > > change fixes CVE-2020-8518, which the security team has classified as
> > > <no- dsa>, deeming it a minor issue which can be fixed via a point
> > > release.
> >
> > The Security Tracker indicates that this issue affects the package in
> > unstable and is not yet fixed there; is that correct?
>
> This is correct, the issue has not been fixed in unstable "yet". The
> horde ecosystem is currently unmaintained, and previous maintainer
> indicated to ask actually for removal if nobody steps up. See #942282
> for context.
>
> That said, it's possible to either wait for a fix in unstable or the
> removal of the php-horde* packages first before accepting the upload
> for a buster point release (same for the other updates proposed by
> Roberto).
>
> Does this make sense?
>
Hi Salvatore,
I've communicated with Mathieu Parent (the php-horde-* maintainer)
regarding his intentions for unstable uploads of these three packages.
He has asked that I go ahead and perform the uploads. However, if you
think that a removal request is forthcoming in the very near future, I
will wait and not make those uploads.
My intent was to have them done in the next 24 hours. Please advise if
I should proceed or if I should wait for removal.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: