Hi Sylvain, hi all, On Thu, 7 Nov, 2019, 3:19 PM Sylvain Beucler, <b...@beuc.net> wrote:
> Hi, > > On 06/11/2019 21:14, Utkarsh Gupta wrote: > > On 06/11/19 11:47 am, Brian May wrote: > >> Utkarsh Gupta <guptautkarsh2...@gmail.com> writes: > >> > >>> I am not quite sure about what should we do here because the update > (DLA > >>> 1956-1) doesn't quite fix the CVE completely and also brings some login > >>> problems as reported in #125. > >>> Because for now, #121 + #126 = actual CVE fix. But the login problem > >>> remains. > >> I guess we have three options: > >> > >> 1. Do nothing. > >> 2. Revert the #121 patch, because it could break. I haven't seen any > >> complaints however... > > Whilst that is true, I'd rather not want someone to face an "unexpected > > response" error. > > Though I hope no one is using that feature yet :) > > > >> 3. Apply the #126 patch too. Not 100% convinced this is a justified > >> change for LTS, but it "looks right". > >> 4. Wait longer for possible upstream solution to #125. > >> > >> Any opinions? > > I'd be a +1 on the 2nd and/or the 4th option. And a +0.5 on the 3rd. > Do the package maintainers have an opinion on this? > This can help. > I recently fixed (by fixing, I mean importing the CVE fix, not the problem it causes) this in unstable and I'm one of the package maintainers now :) Raphael, given that this package is low popcon and the vulnerability is > fuzzy, do you know if the sponsor for this package would be willing to > test fixes? > Given Raphael's last mail, I'm not sure if it could *really* be tested. What makes sense now is to wait for the upstream fix *until* someone who uses this library grumbles :) Best, Utkarsh >
