Hi Mike, zigo, Thanks for your replies,
>> I very much think it's safer to just allow SQLAchemy to migrate right >> now, to fix the potential SQL insertion vulnerability, rather than >> waiting for any (potential, but likely rare) issue in the above reverse >> dependencies. >> >> I do think a gentle ping to the maintainers of the above packages would >> be nice, but probably mass-filling of bugs isn't needed. How can I >> easily gather the list of maintainer? Is there a script somewhere to do >> this, or should I write it myself (which shouldn't be hard with some >> apt-cache show in a loop...)? >> >> Piotr, Mike, is what I wrote above accurate? > > I can confirm Openstack is likely OK, most packages are likely OK, and > if a package is not OK, it's a trivial fix for them. But as long as they are not fixed, how severe do you expect those issues to be? I suggest to proceed with contacting them, just so maintainers can check their package if they care. @zigo, if you have the package name, you can contact the maintainers by sending to <package-name>@packages.debian.org. I'm not 100% sure if this only works for source package names. Paul
signature.asc
Description: OpenPGP digital signature