Dear Ansgar, Thank you for looking into the issue.
On Thu, 6 Sep 2012 17:50:59 Ansgar Burchardt wrote: > Dmitry Smirnov <[email protected]> writes: > > As far as we're aware even latest of 1.8 series still have unresolved > > security vulnerabilities that are fixed in 2.x. > > Are there additional issues besides #683273? I suggest filing bugs for > them in Debian's BTS to make sure they are dealt with before the > release. There are some, according to http://security-tracker.debian.org/tracker/source-package/zabbix I think there might be at least three known vulnerabilities. Christoph should know better -- I hope he'll reply. > > > > If so we'd better upgrade to 2.x rather than being stuck with insecure > > 1.8 or experience delays with regards to security updates. > > Wouldn't we have the same problem later even if we include 2.0.x in Wheezy > now? There is no way of knowing for sure. For years there were only one version available: 1.8. I would speculate that there will be no new major releases for a while. If so, then yes, we won't have this problem for some time and our maintenance burden will be significantly reduced. Looks like for upstream version 2.0 is a primary one while security fixes are delayed (at very least) for 1.8. However this is just my impression that I can't support with the evidence straight from my memory. > > At the moment because of freeze policy it is not clear if we will be able > > to make 2.x to Wheezy or if Wheezy will be released with 1.8.11. > > Releasing with a version that has known security issues seems like a bad > idea. So true. Some time ago Christoph sad that he is not intended to negotiate for unblock to include Zabbix 2.0 into Wheezy. However when we finished working on 2.0 for whatever reason he uploaded it to "unstable", not to "experimental". IMHO from security prospective we have a pretty well justified reason for unblock but I'd like to ask security team for advise. Unfortunately Christoph is busy and he didn't write to security team yet. I apologise for lack of activity from my side -- perhaps I should have written to security team myself without waiting for Christoph. My only excuse is that I don't know much about the history of security support for Zabbix which makes Christoph a better person to speak to security team due to his superior knowledge in that regards. Cheers, Dmitry. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
