Bug#956535: buster-pu: package php-horde-data/2.1.4-5+deb10u1
Hi Roberto,
On Tue, Apr 14, 2020 at 05:45:54PM -0400, Roberto C. Sánchez wrote:
> On Tue, Apr 14, 2020 at 10:04:00PM +0200, Salvatore Bonaccorso wrote:
> > Control: tags -1 - moreinfo
> >
> > Hi Adam,
> >
> > On Sun, Apr 12, 2020 at 10:05:55PM +0100, Adam D. Barratt wrote:
> > > Control: tags -1 + moreinfo
> > >
> > > On Sun, 2020-04-12 at 09:23 -0400, Roberto C. Sanchez wrote:
> > > > Please find attached a proposed debdiff for php-horde-data. The
> > > > change fixes CVE-2020-8518, which the security team has classified as
> > > > <no- dsa>, deeming it a minor issue which can be fixed via a point
> > > > release.
> > >
> > > The Security Tracker indicates that this issue affects the package in
> > > unstable and is not yet fixed there; is that correct?
> >
> > This is correct, the issue has not been fixed in unstable "yet". The
> > horde ecosystem is currently unmaintained, and previous maintainer
> > indicated to ask actually for removal if nobody steps up. See #942282
> > for context.
> >
> > That said, it's possible to either wait for a fix in unstable or the
> > removal of the php-horde* packages first before accepting the upload
> > for a buster point release (same for the other updates proposed by
> > Roberto).
> >
> > Does this make sense?
> >
> Hi Salvatore,
>
> I've communicated with Mathieu Parent (the php-horde-* maintainer)
> regarding his intentions for unstable uploads of these three packages.
> He has asked that I go ahead and perform the uploads. However, if you
> think that a removal request is forthcoming in the very near future, I
> will wait and not make those uploads.
>
> My intent was to have them done in the next 24 hours. Please advise if
> I should proceed or if I should wait for removal.
That's fine if you communicated with Mathieu and he agreed then go
ahead and fix it as well in unstable.
Mathieu, but are you still planning to request removals?
Regards,
Salvatore
Reply to: