Control: tags -1 - moreinfo Hi Adam,
On Sun, Apr 12, 2020 at 10:05:55PM +0100, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On Sun, 2020-04-12 at 09:23 -0400, Roberto C. Sanchez wrote: > > Please find attached a proposed debdiff for php-horde-data. The > > change fixes CVE-2020-8518, which the security team has classified as > > <no- dsa>, deeming it a minor issue which can be fixed via a point > > release. > > The Security Tracker indicates that this issue affects the package in > unstable and is not yet fixed there; is that correct? This is correct, the issue has not been fixed in unstable "yet". The horde ecosystem is currently unmaintained, and previous maintainer indicated to ask actually for removal if nobody steps up. See #942282 for context. That said, it's possible to either wait for a fix in unstable or the removal of the php-horde* packages first before accepting the upload for a buster point release (same for the other updates proposed by Roberto). Does this make sense? Regards, Salvatore