Le mer. 15 avr. 2020 à 08:40, Salvatore Bonaccorso <car...@debian.org> a écrit : > > Hi Roberto, > > On Tue, Apr 14, 2020 at 05:45:54PM -0400, Roberto C. Sánchez wrote: > > On Tue, Apr 14, 2020 at 10:04:00PM +0200, Salvatore Bonaccorso wrote: > > > Control: tags -1 - moreinfo > > > > > > Hi Adam, > > > > > > On Sun, Apr 12, 2020 at 10:05:55PM +0100, Adam D. Barratt wrote: > > > > Control: tags -1 + moreinfo > > > > > > > > On Sun, 2020-04-12 at 09:23 -0400, Roberto C. Sanchez wrote: > > > > > Please find attached a proposed debdiff for php-horde-data. The > > > > > change fixes CVE-2020-8518, which the security team has classified as > > > > > <no- dsa>, deeming it a minor issue which can be fixed via a point > > > > > release. > > > > > > > > The Security Tracker indicates that this issue affects the package in > > > > unstable and is not yet fixed there; is that correct? > > > > > > This is correct, the issue has not been fixed in unstable "yet". The > > > horde ecosystem is currently unmaintained, and previous maintainer > > > indicated to ask actually for removal if nobody steps up. See #942282 > > > for context. > > > > > > That said, it's possible to either wait for a fix in unstable or the > > > removal of the php-horde* packages first before accepting the upload > > > for a buster point release (same for the other updates proposed by > > > Roberto). > > > > > > Does this make sense? > > > > > Hi Salvatore, > > > > I've communicated with Mathieu Parent (the php-horde-* maintainer) > > regarding his intentions for unstable uploads of these three packages. > > He has asked that I go ahead and perform the uploads. However, if you > > think that a removal request is forthcoming in the very near future, I > > will wait and not make those uploads. > > > > My intent was to have them done in the next 24 hours. Please advise if > > I should proceed or if I should wait for removal. > > That's fine if you communicated with Mathieu and he agreed then go > ahead and fix it as well in unstable. >
Thanks Roberto! Hello Salvatore, > Mathieu, but are you still planning to request removals? Done as #956808. Cheers! -- Mathieu Parent