On Thu, Dec 27, 2018 at 09:44:33PM +0100, Salvatore Bonaccorso wrote: > Hi Mike, > > On Thu, Nov 22, 2018 at 08:00:07PM +0100, Moritz Mühlenhoff wrote: > > On Fri, Oct 26, 2018 at 04:46:39PM +0000, mike.gabr...@das-netzwerkteam.de > > wrote: > > > Hi, > > > > > > On Friday, 26 October 2018, Moritz Mühlenhoff wrote: > > > > On Tue, Sep 18, 2018 at 05:06:14PM +0000, Mike Gabriel wrote: > > > > > Hi, > > > > > > > > > > On Mo 17 Sep 2018 23:20:33 CEST, Moritz Mühlenhoff wrote: > > > > > > > > > > > On Mon, Sep 17, 2018 at 09:07:38PM +0000, Mike Gabriel wrote: > > > > > > > I have looked at the changes between 3.1.33 (just uploaded to > > > > > > > unstable) and > > > > > > > 3.1.31 (in stable). They are awful. Read the below... > > > > > > > > > > > > > > 15:42 < sunweaver> Hi all, I have just looked into > > > > > > > https://security-tracker.debian.org/tracker/CVE-2018-16831 > > > > > > > 15:43 < sunweaver> even for stretch, it is pretty much impossible > > > > > > > to > > > > > > > backport the patch series (at least for patches, all containing > > > > > > > tons of > > > > > > > regexp with > > > > > > > multitudes of slashes and backslashes). > > > > > > > 15:43 < sunweaver> totall insane... > > > > > > > 15:44 < sunweaver> in fact, my recommendation for jessie and > > > > > > > stretch would > > > > > > > be (with my maintainer hat _and_ LTS team hats on at once): bring > > > > > > > the latest > > > > > > > upstream release to jessie/stretch. > > > > > > > 15:44 < sunweaver> In jessie, we need to upgrade smarty-lexer as > > > > > > > well for > > > > > > > that. > > > > > > > 15:46 < sunweaver> the 4 patches we needed at least are these... > > > > > > > 15:47 < sunweaver> > > > > > > > https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe > > > > > > > 15:47 < sunweaver> > > > > > > > https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8 > > > > > > > 15:47 < sunweaver> > > > > > > > https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50 > > > > > > > 15:47 < sunweaver> > > > > > > > https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1 > > > > > > > 15:48 < sunweaver> and these four sit on top of this... > > > > > > > 15:48 < sunweaver> > > > > > > > https://github.com/smarty-php/smarty/commit/f7a53162058de410a35a9848e6d0795d7c252aaf > > > > > > > 15:48 < sunweaver> and 10+ other commits. > > > > > > > 15:48 < sunweaver> all tackling the same code passage. > > > > > > > 15:49 < sunweaver> @all: can we reach consensus that latest > > > > > > > upstream release > > > > > > > would be best for jessie LTS and stretch (OT here). > > > > > > > > > > > > > > The pile of patches is so awful, I strongly advise getting latest > > > > > > > smarty-lexer and latest smarty3 from unstable into stable with > > > > > > > thorough > > > > > > > testing of dependent application (gosa, FusionDirectory, > > > > > > > slbackup-php, ...). > > > > > > > Most of them are maintained by me and I have running setups for > > > > > > > testing this > > > > > > > (except 1 package in Debian IIRC). > > > > > > > > > > > > If you have reasonable test coverage of the reverse deps, we can do > > > > > > that. > > > > > > > > > > > > But let's wait for a few more days to spot eventual regressions > > > > > > reported > > > > > > in unstable first. Also, make sure to coordinate the release of the > > > > > > DLA with > > > > > > the DSA, otherwise we end up with a situation where oldstable has a > > > > > > higher > > > > > > version number than stable. > > > > > > > > > > > > Cheers, > > > > > > Moritz > > > > > > > > > > I will wait another week with this. I'd like to get this solved > > > > > before my > > > > > VAC (6th Oct - 21st Oct). > > > > > > > > What's the status? > > > > > > > > Cheers, > > > > Moritz > > > > > > > > > > I am still waiting for upstream to verify / confirm my patch. Ping > > > dropped Monday this week. > > > > Any feedback? > > Did you got any feedback on it?
*ping* Cheers, Moritz