On Mon, 5 Mar 2018 17:18:00 +0530 Pirate Praveen <prav...@debian.org> wrote: > On ഞായര് 04 മാർച്ച് 2018 10:29 വൈകു, Moritz Mühlenhoff wrote: > > We're now almost two months in after the upstream security > > release. If this still isn't ready, that's a sign to me > > that we can' reasonably support it, so the next best option > > is to end-of-life it and eventually ask for it's removal > > from stretch. > > > > Cheers, > > Moritz > > > I will ask upstream help in backporting and we can decide based on their > response. >
I will attach a debdiff tomorrow with the CVEs we already backported. And also will try to respond quicker in case of future CVEs. CVE-2017-0923 seems to be not affecting 8.13 as this feature was introduced only in 9.1 CVE-2017-0927 is affecting only an optional component of gitlab (continuous deployment), while still good to be able to fix it, I don't think it should result in a removal. I'm yet to hear back from upstream about their help in fixing this last CVE.
signature.asc
Description: OpenPGP digital signature