Hi

I think the text looks good. Not exactly as previous updates but since it
is the only change I think it is better to change the default template in
the way you did it.

Best regards

// Ola

On Thu, 14 Nov 2019 at 19:52, Roberto C. Sánchez <robe...@debian.org> wrote:

> On Thu, Nov 14, 2019 at 01:31:27PM -0500, Roberto C. Sánchez wrote:
> > On Thu, Nov 14, 2019 at 05:19:03PM +0000, Holger Levsen wrote:
> > > On Wed, Nov 13, 2019 at 08:24:55AM -0500, Roberto C. Sánchez wrote:
> > > > > We usually mark affected CVE as <end-of-life> in data/CVE/list and
> just
> > > > > add the package to security-support-ended.deb8 in
> > > > > debian-security-support. We then upload new versions of the package
> > > > > periodically and announce it via DLA. I believe now is a good time
> to do it.
> > > > Thanks for the information.  I will start working on it today.
> > >
> > > As any DD can commit to debian-security-support.git and also can upload
> > > that package, just make sure to call it a team upload in d/changelog to
> > > appease lintian and possibly other tools.
> > >
> > I had not yet seen this message so I already submitted a MR.  Should I
> > close that and make a direct commit?
> >
> > > And then it would be ideal to upload the package to unstable and then
> > > file a SRM bug to update the package in stretch, in addition to
> > > uploading to jessie. (Probably this should also result in a DLA, not
> > > 100% sure though. Thoughts & comments definitly welcome.)
> > >
> >
> > Looking at the previous updates, a DLA seems appropriate.  I am in the
> > process of drafting the text.
> >
> > > I believe it's fine if the version contraints (package version in
> > > unstable higher than testing higher than stable higher than oldstable)
> > > are temporarily not met, but I also believe it's important that they
> are
> > > in the long run & most of the time.
> > >
> > > If doing all this work is too much or tedious to you, please shout and
> I
> > > will be happy to finish this. Please just do at least the initial
> > > change in git to security-support-ended.deb8.
> > >
> > If I close the MR and commit directly, is it then a simple matter of
> > build and upload to unstable?  That is, no other special steps are
> > required?
> >
> Some additional follow-up:
>
> - Can I go ahead and mark the CVE in question as <end-of-life> in
>   data/CVE/list even before the update to debian-security-support is
>   complete?
> - Any feedback on this proposed DLA text?
>
> Package        : debian-security-support
> Version        : 2019.11.15~deb8u1
>
>
> debian-security-support, the Debian security support coverage checker,
> has been updated in jessie.
>
> This marks the end of life of the libqb package in jessie.  A recently
> reported vulnerability against libqb which allows users to overwrite
> arbitrary files via a symlink attack cannot be adequately addressed in
> libqb in jessie.  Upstream no longer supports this version and no
> packages in jessie depend upon libqb, thus making it a leaf package.
>
> We recommend that if your systems or applications depend upon the libqb
> package provided from the Debian archive that you upgrade your systems
> to a more recent Debian release or find an alternate and up to date
> source of libqb packages.
>
>
> Regards,
>
> -Roberto
>
> --
> Roberto C. Sánchez
>
>

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  o...@inguza.com                    o...@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

Reply via email to