Re: Accepted org-mode 9.7.5+dfsg-1 (source) into unstable
Hi Nicholas, On Thu, Jun 27, 2024 at 06:14:20PM -0400, Nicholas D Steeves wrote: > Hi Salvatore, > > Salvatore Bonaccorso writes: > > > On Tue, Jun 25, 2024 at 03:04:42AM +, Debian FTP Masters wrote: > >> org-mode (9.7.5+dfsg-1) unstable; urgency=medium > >> . > >>* New upstream release that resolves CVE-2024-39331 (Closes: #1074136). > [snip] > > > > Thanks for this upload. FYI, have uploaded some minutes ago now as > > well a corresponding version for bullseye-security to security-master. > > > > Thank you! As for bookworm, I'm unhappy with the security tracker > status of "ignored". Would you please ACK an upgrade of the empty > package's emacs dependency to ( >= emacs_fixed_version )? That way the > metadata would ensure that it's fixed. Feel free to do it yourself, if > you'd prefer, but I have not been ignoring the state of bookworm, so > want users to see "fixed", and feel safe, rather than see "ignored" and > wonder about apathy in the face of scary vulnerabilities. I admit, the state might be confusing, but it's tracking the source package, thus ignored with the attached reason. (In fact we are pondering if we can/should introduce a substate of unfixed for such cases where no binary package are affected, we cannot use the usual unimportant here, see tracker documentation, because of the severity would affect the source package as whole). I think users are cofused about the state mostly using comvercial security scanner thinking the security-tracker exposes information about the binary packages, which is not true. Hope this clarifies things up for you? > I also received a bug report about how bookworm's org-mode-doc shadows > the docs provided by emacs-common-non-dfsg. A similar empty package, > plus ( >= emacs-common-non-dfsg ) would fix that. This indeed might go in with an upcoming point release but is out of scope for a security update. > > Looking forward to hearing what you think, > Nicholas Thanks for all your work, and regards Salvatore
Re: Accepted org-mode 9.7.5+dfsg-1 (source) into unstable
Hi Salvatore, Salvatore Bonaccorso writes: > On Tue, Jun 25, 2024 at 03:04:42AM +, Debian FTP Masters wrote: >> org-mode (9.7.5+dfsg-1) unstable; urgency=medium >> . >>* New upstream release that resolves CVE-2024-39331 (Closes: #1074136). [snip] > > Thanks for this upload. FYI, have uploaded some minutes ago now as > well a corresponding version for bullseye-security to security-master. > Thank you! As for bookworm, I'm unhappy with the security tracker status of "ignored". Would you please ACK an upgrade of the empty package's emacs dependency to ( >= emacs_fixed_version )? That way the metadata would ensure that it's fixed. Feel free to do it yourself, if you'd prefer, but I have not been ignoring the state of bookworm, so want users to see "fixed", and feel safe, rather than see "ignored" and wonder about apathy in the face of scary vulnerabilities. I also received a bug report about how bookworm's org-mode-doc shadows the docs provided by emacs-common-non-dfsg. A similar empty package, plus ( >= emacs-common-non-dfsg ) would fix that. Looking forward to hearing what you think, Nicholas signature.asc Description: PGP signature
Re: Accepted org-mode 9.7.5+dfsg-1 (source) into unstable
Hi Nicholas, On Tue, Jun 25, 2024 at 03:04:42AM +, Debian FTP Masters wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Format: 1.8 > Date: Mon, 24 Jun 2024 22:43:31 -0400 > Source: org-mode > Architecture: source > Version: 9.7.5+dfsg-1 > Distribution: unstable > Urgency: medium > Maintainer: Debian Emacsen team > Changed-By: Nicholas D Steeves > Closes: 1074136 > Changes: > org-mode (9.7.5+dfsg-1) unstable; urgency=medium > . >* New upstream release that resolves CVE-2024-39331 (Closes: #1074136). >* Rebase quilt series onto this release: > - Drop 10-shebang.patch (unused) > - Drop 20-links-unescaping.patch (unused) > - Drop 0002-default-to-xprintidle.patch (merged upstream) >* Migrate to debhelper-compat 13. >* Declare Rules-Requires-Root: no. >* Override "package-does-not-install-examples" and provide justification in > debian/source/lintian-overrides. >* Update my copyright years. >* Declare Standards-Version: 4.7.0 (no changes required). Thanks for this upload. FYI, have uploaded some minutes ago now as well a corresponding version for bullseye-security to security-master. Regards, Salvatore
