Rene Mayrhofer wrote:
> > http://www.idefense.com/application/poi/display?id=190&type=vulnerabilities&flashstatus=false
> >
> > Even though iDEFENSE wrote:
> >
> > iDEFENSE has confirmed that Openswan 2.2.0 is vulnerable. All previous
> > versions of Openswan also contain the vulnerable code.
> >
> > it seems that 2.3.0 in sid is vulnerable as well.
> Many thanks for informing me about this - I have somehow missed the
> announcement (it does not seem to have been communicated over the openswan
> announce mailing list either). I now have two packages ready, one 2.2.0 based
> for testing (IMHO 2.3.0 should not enter testing in its current state - it is
> broken upstream) and one 2.3.0 based for unstable which both fix the
> mentioned security issue. How should I proceed? Upload one to unstable, the
> other to testing as soon as you are prepared to release the DSA?
When you are pondering an upload only for testing it has to go through
testing-proposed-updates. Please talk to the release team on
debian-release@lists.debian.org prior to the upload first.
Since we're waiting for testing-security for at least four months and
we have no idea when it will be up and running, waiting for it is not
an alternative.
If the unstable package should not enter testing you'll also have to
file an RC bug to keep it out.
Regards,
Joey
--
Of course, I didn't mean that, which is why I didn't say it.
What I meant to say, I said. -- Thomas Bushnell
Please always Cc to me when replying to me on the lists.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
