Re: CVE-2009-1284

[Michael Gilbert <michael.s.gilbert@gmail.com>]

On Fri, 20 Nov 2009 03:06:50 +0100 Norbert Preining wrote:

> On Do, 19 Nov 2009, Raphael Geissert wrote:
> > The bug submitter was not somebody from the team and apparently nobody
> > noticed it was fixed already, thanks for notifying. The tracker is manually
> > updated so that changes are reviewed.
> > If you modify the changelog to add a reference it won't make much a
> > difference.
> 
> Ok, fine, then I leave it as it is.
> 
> > > Then, for stable: Do you want us to prepare a security update for lenny?
> > > 
> > 
> > It would be great if you could prepare uploads for oldstable and stable,
> > which would go through *-proposed-updates (and not via the security
> > queues). Thanks!
> 
> oldstable? Hmm, there are more urgent issues. *None* of the other CVEs 
> have been fixed in old-stable. We have prepared proposed-updates stuff
> for stable for all these, but not for oldstable.

note that oldstable is still technically supported (until february
2010), so it is desirable that all packages continue to get security
updates. however, this particular issue seems rather low-impact and
could probably be ignored (someone else should probably give a
definitive answer on that though). on the other hand, CVE-2007-5935 and
CVE-2007-5937 seem somewhat severe and should probably be fixed.

you could also announce early discontinuation of security support for
tex in oldstable via a DSA.  you'll need to coordinate that with the
security team.

mike