On Sun, May 26, 2019 at 09:24:30PM +0200, Moritz Mühlenhoff wrote: > On Mon, May 06, 2019 at 04:19:33AM +0000, tony mancill wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA512 > > > > Format: 1.8 > > Date: Sun, 05 May 2019 19:57:45 -0700 > > Source: jetty9 > > Architecture: source > > Version: 9.4.18-1 > > Distribution: experimental > > Urgency: medium > > Maintainer: Debian Java Maintainers > > <[email protected]> > > Changed-By: tony mancill <[email protected]> > > Closes: 928444 > > Changes: > > jetty9 (9.4.18-1) experimental; urgency=medium > > . > > * Team upload. > > * New upstream release > > - Addresses CVE-2019-10241, CVE-2019-10247 (Closes: #928444) > > What's the plan for unstable/buster?
Hi Moritz, Good question! I uploaded the new version to experimental so users had at least one option within Debian for addressing those CVEs, but I haven't looked into what it would take to backport just the CVE patches to 9.4.15. Are we deep enough into the freeze that it is reasonable to go ahead and upload to unstable? (I'm never sure how to judge these things.) For buster, t-p-u would have a quick turn around, but there are a number of upstream changes between 9.4.15 and 9.4.18 [1], and I don't have a good sense for the risk trade-off between the new version and the backport. Since I haven't handled any of the jetty9 uploads, I would like to defer to Emmanuel to see if he has a preference. Thank you, tony [1] https://salsa.debian.org/java-team/jetty9/blob/be3f955ab42b5612e1022667216f8453812f5277/VERSION.txt#L1-43
signature.asc
Description: PGP signature
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
