Hi guys, As you may have noticed, the last 4.3.0-1 item is done[1]. As tempting as it may be, please do not upload the package to unstable. Two security flaws have recently been discovered in XFree86, and the Debian Security Team has been in contact with me about them. Their MITRE CVE candidate IDs are CAN-2004-0083 and CAN-2004-0084. The former was embargoed until 11 February, but since David Dawes committed a fix for -0083 to XFree86 CVS yesterday, that one is public. The other one is not yet, and is embargoed until 18 February. This will necessitate another security update for woody (4.1.0-16woody3) and updates to testing/unstable. I am going to proceed with my SVN merge plan, as described in my reply to Nathanael Nerode[2]. (Future merges of branches onto the trunk should not be as painful as this one is.) It may be that it makes sense to go ahead and release 4.3.0-1 to unstable even knowing that CAN-2004-0084 will have to be subsequently fixed, or the embargo may been mooted by third-party action. I'd appreciate feedback on this release plan. I would also like to hear from people who would like to join me in the Uploaders: field of the xfree86 package. [1] svn cat svn://necrotic.deadbeast.net/xfree86/branches/4.3.0/sid/debian/TODO | head [2] Message-ID: <[🔎] 20040209205718.GE3425@deadbeast.net> -- G. Branden Robinson | The first thing the communists do Debian GNU/Linux | when they take over a country is to branden@debian.org | outlaw cockfighting. http://people.debian.org/~branden/ | -- Oklahoma State Senator John Monks
Attachment:
signature.asc
Description: Digital signature