On 2017-07-14 9:45, Arturo Borrero Gonzalez wrote:
Control: tags -1 - moreinfo
On 14 July 2017 at 10:31, Adam D. Barratt <a...@adam-barratt.org.uk>
wrote:
I named the new version 3.2.1-2 because by the time I wrote the
changelog entry didn't know
if the package was to follow security or stable-pu path.
Versioning suggestion is welcome.
For either security or p-u, it's <base version>+debXuY - so in this case
3.2.1-1+deb9u1, with a changelog distribution of "stretch" for stable.
I see that unstable has a 4.0 beta - I assume that also includes the
patch?
Unstable is a different thing. I'm working in another issues there,
regarding libhtp (see #783220).
So yes, the patch will eventually land in unstable, but it isn't my
focus right now.
Well, there's a general prerequisite that bugs that affect unstable as
well as stable are fixed in unstable first. Both because development
happens in unstable but also because it means patches get at least some
testing - it's also much much easier to apply a follow-up fix in
unstable if there turn out to be issues.
I guess last upstream release includes the patch, but I'm not sure
because I didn't check.
I did - the version in unstable certainly doesn't. It does contain code
that looks exactly the same as the vulnerable code in stable, so I
assume the bug also affects that version.
Regards,
Adam
