On Thu, Sep 06, 2012 at 12:38:56PM -0500, Raphael Geissert wrote:
> Hi,
>
> On Thursday 06 September 2012 05:09:26 Dmitry Smirnov wrote:
> > On Thu, 6 Sep 2012 17:50:59 Ansgar Burchardt wrote:
> > > Dmitry Smirnov <[email protected]> writes:
> > > > As far as we're aware even latest of 1.8 series still have unresolved
> > > > security vulnerabilities that are fixed in 2.x.
> > >
> > > Are there additional issues besides #683273? I suggest filing bugs for
> > > them in Debian's BTS to make sure they are dealt with before the
> > > release.
> [...]
> > Looks like for upstream version 2.0 is a primary one while security fixes
> > are delayed (at very least) for 1.8.
> [...]
> > > Releasing with a version that has known security issues seems like a
> > > bad idea.
> [...]
> > IMHO from security prospective we have a pretty well justified reason for
> > unblock but I'd like to ask security team for advise.
> > Unfortunately Christoph is busy and he didn't write to security team yet.
> >
> > I apologise for lack of activity from my side -- perhaps I should have
> > written to security team myself without waiting for Christoph. My only
> > excuse is that I don't know much about the history of security support
> > for Zabbix which makes Christoph a better person to speak to security
> > team due to his superior knowledge in that regards.
>
> Looking at the current situation, and unless there are substantial
> improvements, I'd like to request the removal of zabbix 1.8 from wheezy.
> Whether 2.0 could make it into wheezy would be on the hands of the Release
> Team, but then again: without proper support by upstream and by you, the
> maintainers, I don't think we (the sec team) want another zabbix to go
> around and have to fix.
> Squeeze's version is more than enough, with all its gotchas. It remains to
> be seen whether we keep it or we decide to drop it.
>
> Zabbix is not the kind of software that should be left with unfixed
> vulnerabilities for too long. The current situation is not acceptable.
>
> I'm not going to take any immediate action, to allow you (the maintainers)
> to work on the issues and perhaps take whatever decision yourselves.
I agree. Squeeze turned out to be ugly, let's rather have a current zabbix
in backports for Wheezy.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
