Hi, thanks for hinting the last uploads into lenny w/o me requesting it. This time I don't want to miss asking for unblock. Because of security issue #502728, I've prepared an update to the mantis package. Unfortunately the took me two uploads (because a bug introduced by the patch slipped through my testing :/) so the version to be unblocked would be 1.1.2+dfsg-8.
Changelogs: mantis (1.1.2+dfsg-8) unstable; urgency=high . * Urgency high because it is an update for a security issue which was patched in the last upload. * Updated the patch for the remote code execution vulnerability to avoid possible regressions that might be caused by the wrong implementation in the first patch. mantis (1.1.2+dfsg-7) unstable; urgency=high . * Urgency high because it fixes a security issue * Added a fix for remote code execution vulnerability that can be triggered by registered users (Closes: #502728) Apart from this I'd like to ask about the release teams opinion: Upstream prepared a new upstram release a few days ago. Its a bugfix only release. It does not include new features, but the changeset is still rather intrusive, because they refined the implementation of form security tokens. Because of the large changes regressions are likely and so they already released a bugfix-for-the-bugfix-release and one or two releases are likely to follow. Otherwise the current release makes a good and mature impression. I'm quiet convinced that lenny users would benefit a lot from the next release (which will happen in a few days). Also it could make the work for the security team possibly a little bit easier. On the other hand we are in deep freeze now and I'd usually like to avoid introducing large changesets into Lenny. But then again (given the current state of the release process) the package could get some more testing in Unstable before migrating and there are no reverse-depends for mantis. So the risk of including a totally untested package can be avoided and apart from this the package wouldn't be a risk for other packages. I'm indecisive, but after all it isn't my opinion that counts. So my question is: Whats the release teams opinion? Best Regards, Patrick
signature.asc
Description: Digital signature