Quoting Raphael Bossek (boss...@debian.org): > Dear Christian, > > Debian uses a different directory structure then upstream since years. > The CVE-2010-3764 patch can not be applied as drop in because it's > affect the directory structure of Debian. You have to change Debian's > patches to achieve this too. > > Instead of loosing time changing something that is done already accept > the 3.6.3.0 series. At the end it's more clear that Debian fixed those > vulnerability if package version is 3.6.3.0 anyway.
Maybe. But we're in a release freeze and, imagine that everybody follows the same reasoning: we will always end up with new upstream releases and we'll never release. It's not very good news to hear that a simple security patch isn't easy to apply to bugzilla. If that's true, how will later security updates be handled? In that specific case, anyway, the decision is in the release team hands. But not seeing signs of attempts to apply the sec fix to the existing package in testing can't make them very optimistic about further maintenance.
signature.asc
Description: Digital signature