Hi, On Thursday 06 September 2012 05:09:26 Dmitry Smirnov wrote: > On Thu, 6 Sep 2012 17:50:59 Ansgar Burchardt wrote: > > Dmitry Smirnov <[email protected]> writes: > > > As far as we're aware even latest of 1.8 series still have unresolved > > > security vulnerabilities that are fixed in 2.x. > > > > Are there additional issues besides #683273? I suggest filing bugs for > > them in Debian's BTS to make sure they are dealt with before the > > release. [...] > Looks like for upstream version 2.0 is a primary one while security fixes > are delayed (at very least) for 1.8. [...] > > Releasing with a version that has known security issues seems like a > > bad idea. [...] > IMHO from security prospective we have a pretty well justified reason for > unblock but I'd like to ask security team for advise. > Unfortunately Christoph is busy and he didn't write to security team yet. > > I apologise for lack of activity from my side -- perhaps I should have > written to security team myself without waiting for Christoph. My only > excuse is that I don't know much about the history of security support > for Zabbix which makes Christoph a better person to speak to security > team due to his superior knowledge in that regards.
Looking at the current situation, and unless there are substantial improvements, I'd like to request the removal of zabbix 1.8 from wheezy. Whether 2.0 could make it into wheezy would be on the hands of the Release Team, but then again: without proper support by upstream and by you, the maintainers, I don't think we (the sec team) want another zabbix to go around and have to fix. Squeeze's version is more than enough, with all its gotchas. It remains to be seen whether we keep it or we decide to drop it. Zabbix is not the kind of software that should be left with unfixed vulnerabilities for too long. The current situation is not acceptable. I'm not going to take any immediate action, to allow you (the maintainers) to work on the issues and perhaps take whatever decision yourselves. Regards, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
