Re: XFree86 4.3.0-1 and security release status
Hi Branden,
On Tue, 10 Feb 2004, Branden Robinson wrote:
> Hi guys,
>
> As you may have noticed, the last 4.3.0-1 item is done[1].
congratulation to all the XFS
> Two security flaws have recently been discovered in XFree86, and the
> Debian Security Team has been in contact with me about them. Their
> MITRE CVE candidate IDs are CAN-2004-0083 and CAN-2004-0084. The former
> was embargoed until 11 February, but since David Dawes committed a fix
> for -0083 to XFree86 CVS yesterday, that one is public. The other one
> is not yet, and is embargoed until 18 February.
>
> This will necessitate another security update for woody (4.1.0-16woody3)
> and updates to testing/unstable.
[SNIP]
> It may be that it makes sense to go ahead and release 4.3.0-1 to
> unstable even knowing that CAN-2004-0084 will have to be subsequently
> fixed, or the embargo may been mooted by third-party action.
>
> I'd appreciate feedback on this release plan.
Of course the security update for woody is a must.
I would suggest to upload another 4.2 with both the security fixes and
as soon it hits testing go for 4.3. Right now we are sure 4.2 can flow in
a few days. 4.3 might not, leaving testing exposed (NOTE: I didn't check
the severity of these 2 security problems)
but yes you are right.. it's tempting.. :-)
> I would also like to hear
> from people who would like to join me in the Uploaders: field of the
> xfree86 package.
Just start with you :-) we can always add ourself later ;) seriously.. it
shouldn't matter.
Fabio
--
<user> fajita: step one
<fajita> Whatever the problem, step one is always to look in the error log.
<user> fajita: step two
<fajita> When in danger or in doubt, step two is to scream and shout.
Reply to: