On Thu, Dec 27, 2018 at 09:44:33PM +0100, Salvatore Bonaccorso wrote:
> Hi Mike,
>
> On Thu, Nov 22, 2018 at 08:00:07PM +0100, Moritz Mühlenhoff wrote:
> > On Fri, Oct 26, 2018 at 04:46:39PM +0000, mike.gabr...@das-netzwerkteam.de
> > wrote:
> > > Hi,
> > >
> > > On Friday, 26 October 2018, Moritz Mühlenhoff wrote:
> > > > On Tue, Sep 18, 2018 at 05:06:14PM +0000, Mike Gabriel wrote:
> > > > > Hi,
> > > > >
> > > > > On Mo 17 Sep 2018 23:20:33 CEST, Moritz Mühlenhoff wrote:
> > > > >
> > > > > > On Mon, Sep 17, 2018 at 09:07:38PM +0000, Mike Gabriel wrote:
> > > > > > > I have looked at the changes between 3.1.33 (just uploaded to
> > > > > > > unstable) and
> > > > > > > 3.1.31 (in stable). They are awful. Read the below...
> > > > > > >
> > > > > > > 15:42 < sunweaver> Hi all, I have just looked into
> > > > > > > https://security-tracker.debian.org/tracker/CVE-2018-16831
> > > > > > > 15:43 < sunweaver> even for stretch, it is pretty much impossible
> > > > > > > to
> > > > > > > backport the patch series (at least for patches, all containing
> > > > > > > tons of
> > > > > > > regexp with
> > > > > > > multitudes of slashes and backslashes).
> > > > > > > 15:43 < sunweaver> totall insane...
> > > > > > > 15:44 < sunweaver> in fact, my recommendation for jessie and
> > > > > > > stretch would
> > > > > > > be (with my maintainer hat _and_ LTS team hats on at once): bring
> > > > > > > the latest
> > > > > > > upstream release to jessie/stretch.
> > > > > > > 15:44 < sunweaver> In jessie, we need to upgrade smarty-lexer as
> > > > > > > well for
> > > > > > > that.
> > > > > > > 15:46 < sunweaver> the 4 patches we needed at least are these...
> > > > > > > 15:47 < sunweaver>
> > > > > > > https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe
> > > > > > > 15:47 < sunweaver>
> > > > > > > https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8
> > > > > > > 15:47 < sunweaver>
> > > > > > > https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50
> > > > > > > 15:47 < sunweaver>
> > > > > > > https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1
> > > > > > > 15:48 < sunweaver> and these four sit on top of this...
> > > > > > > 15:48 < sunweaver>
> > > > > > > https://github.com/smarty-php/smarty/commit/f7a53162058de410a35a9848e6d0795d7c252aaf
> > > > > > > 15:48 < sunweaver> and 10+ other commits.
> > > > > > > 15:48 < sunweaver> all tackling the same code passage.
> > > > > > > 15:49 < sunweaver> @all: can we reach consensus that latest
> > > > > > > upstream release
> > > > > > > would be best for jessie LTS and stretch (OT here).
> > > > > > >
> > > > > > > The pile of patches is so awful, I strongly advise getting latest
> > > > > > > smarty-lexer and latest smarty3 from unstable into stable with
> > > > > > > thorough
> > > > > > > testing of dependent application (gosa, FusionDirectory,
> > > > > > > slbackup-php, ...).
> > > > > > > Most of them are maintained by me and I have running setups for
> > > > > > > testing this
> > > > > > > (except 1 package in Debian IIRC).
> > > > > >
> > > > > > If you have reasonable test coverage of the reverse deps, we can do
> > > > > > that.
> > > > > >
> > > > > > But let's wait for a few more days to spot eventual regressions
> > > > > > reported
> > > > > > in unstable first. Also, make sure to coordinate the release of the
> > > > > > DLA with
> > > > > > the DSA, otherwise we end up with a situation where oldstable has a
> > > > > > higher
> > > > > > version number than stable.
> > > > > >
> > > > > > Cheers,
> > > > > > Moritz
> > > > >
> > > > > I will wait another week with this. I'd like to get this solved
> > > > > before my
> > > > > VAC (6th Oct - 21st Oct).
> > > >
> > > > What's the status?
> > > >
> > > > Cheers,
> > > > Moritz
> > > >
> > >
> > > I am still waiting for upstream to verify / confirm my patch. Ping
> > > dropped Monday this week.
> >
> > Any feedback?
>
> Did you got any feedback on it?
*ping*
Cheers,
Moritz
