As a long-time user of both Ubuntu and Debian, I understand that typically, new major upstream versions do not get inserted into stable releases. My personal experience is that microversion bumps are frequently brought into the stable releases, and section 2.3 of the linked page seems to describe the process for that in detail. I believe redis meets at least 3 of the 4 criteria listed on that page (I don't know if the package has an "autopkgtest" component).
The worst incompatibility is the PUBSUB response was changed from a string to an integer in 2.8.13. I would hope that isn't an excuse to keep trusty on an ancient version; if it presents a problem for upgrading, it would seem best to *revert* that individual patch for API consistency rather than keeping the whole package back on a release with numerous major problems, including active security problems. Per the page linked, I understand that the stable release team has the final input into whether a package gets microversion bumps (such as this one, 2.8.4 -> 2.8.24). I just want to clarify that I'm aware of the release process and that I believe in this case, the microversion bump is not only justified but needed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1467606 Title: EVAL Lua Sandbox Escape (CVE-2015-4335 / DSA-3279) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/redis/+bug/1467606/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs