Unsubscribe me please On December 30, 2018 1:38:57 AM MST, Salvatore Bonaccorso <car...@debian.org> wrote: >Hi Roberto, > >On Sat, Dec 29, 2018 at 10:24:40AM -0500, Roberto C. Sánchez wrote: >> On Sat, Dec 22, 2018 at 10:27:18PM -0500, Roberto C. Sánchez wrote: >> > [note: I am not subscribed to debian-security; please keep me or >> > debian-lts addressed on replies] >> > >> > If this seems like a sensible approach, I propose to apply the >attached >> > patch to uw-imap 8:2007f~dfsg-5 (the current stretch/buster/sid >version) >> > to create version 8:2007f~dfsg-6 for upload to sid and eventual >> > inclusion in stretch (perhaps via a point release) and then also in >> > parallel create a 8:2007f~dfsg-4+deb8u1 package for upload to >jessie. >> > >> > Please reply with your comments. In particular, feedback from the >> > security team on the appropriateness of this for a stable point >release >> > and my suggested route for the update to take to get there would be >very >> > useful. >> > >> >> Hi all, >> >> Since Tomas and Ola have reviewed the patch and we have had some >> discussion which makes it seem like this is the most sensible >approach >> to the vulnerability given the constraints, I wonder if the Security >> team could weigh in. >> >> I have forwarded my initial message and the patch to Magnus Holngren >> (the uw-imap maintainer) and also added him as a recipient of this >> message, as he may wish to be the one to upload to unstable and >> coordinate the future point release inclusion. >> >> I ask for some indication now from the security team and/or the >> maintainer since I don't think it makes sense to fix this only in >jessie >> and not in stretch/buster/sid. > >There is an alternative approach wich was raised by Magnus in the >respective bug: https://bugs.debian.org/914632#12 (and see followup >from Moritz). > >Regards, >Salvatore
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
