Hi, After review the 4 CVEs [0] that affect irssi in wheezy I intend to follow the Security Team and mark the CVE-2017-10965 and CVE-2017-10966 as no-DSA and fix the another two, CVE-2017-9468 and CVE-2017-9469. I've prepared an upload for wheezy-security based on the two patches provided by the Security Team to fix the mentioned CVEs in jessie, the debdiff is attached.
If someone has a different idea in mind share with me please. Cheers. [0] https://security-tracker.debian.org/tracker/source-package/irssi 2017-08-31 8:02 GMT-03:00 Lucas Kanashiro <kanashiro.dua...@gmail.com>: > Hi Rhonda, > > Do not worry, I can handle that for you, wheezy and jessie. Should I send > a debdiff to you for revision? > > Thanks for your fast reply. > > Cheers. > > > Em 31 de ago de 2017 05:04, "Rhonda D'Vine" <rho...@deb.at> escreveu: > > Hi, > > there is no update in jessie yet for that, and I try to do such things > top-down. I still believe that the priority should be on that instead > of on the LTS release, but I understand that that doesn't get payment. > > I'm still quite busy here, and the issue is not that big of one, but if > you want to prepare an wheezy update before I can find the time to > tackle it pretty please also do a jessie one right ahead too, otherwise > it looks kinda skew and gives a false impression of your intentions. > > Enjoy, > Rhonda > > > * Lucas Kanashiro <kanashiro.dua...@gmail.com> [2017-08-30 22:42:27 CEST]: > > Hi all, > > > > Any news about this? Will maintainers take care of irssi CVEs in wheezy? > > > > As Antoine said, irssi is one of the packages in our radar. I will wait > an > > answer until the end of the week, otherwise I'll prepare an upload based > on > > patches in jessie and stretch. > > > > Cheers. > > > > > > 2017-06-27 15:33 GMT-03:00 Antoine Beaupré <anar...@orangeseeds.org>: > > > > > On 2017-06-09 10:22:37, Rhonda D'Vine wrote: > > > > Dear Ola, > > > > > > > > this is on my board. The issue isn't that pressing, and I want to > fix > > > > it for stretch and jessie too, and only do the update for wheezy > after > > > > those got approved (which I expect). If it won't be approved for > > > > stretch and jessie there is quite little sense to invest to fix it > just > > > > for wheezy. :) > > > > > > > > At least it won't get tackled by the security team, so I don't see > much > > > > of a pressure that the LTS team should put it high on its priority, > > > > there are probably more pressuring things to fix. > > > > > > Hi Rhonda! > > > > > > Just to let you know, it's not high priority, but it's still on our > > > dashboard. :) LTS issues are prioritized by how many people have the > > > affected packages installed, and irssi is one of the packages that have > > > "votes". Considering it's a remote DOS, I still believe it's worth > > > fixing. > > > > > > We are happy, of course, to wait for you to make the update if you > still > > > plan on doing so, now that updates trickled down in stretch/jessie. Do > > > let us know, however, if you want the LTS team to take care of it for > > > wheezy. > > > > > > Thanks! > > > > > > A. > > > > > > -- > > > La destruction de la société totalitaire marchande n'est pas une > affaire > > > d'opinion. Elle est une nécessité absolue dans un monde que l'on sait > > > condamné. Puisque le pouvoir est partout, c'est partout et tout le > temps > > > qu'il faut le combattre. - Jean-François Brient, de la servitude > moderne > > > > > > > > > > > > -- > > Lucas Kanashiro > > -- > Fühlst du dich mutlos, fass endlich Mut, los | > Fühlst du dich hilflos, geh raus und hilf, los | Wir sind Helden > Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang > Fühlst du dich haltlos, such Halt und lass los | > > > -- Lucas Kanashiro
debdiff
Description: Binary data
