Hi I think the text looks good. Not exactly as previous updates but since it is the only change I think it is better to change the default template in the way you did it.
Best regards // Ola On Thu, 14 Nov 2019 at 19:52, Roberto C. Sánchez <robe...@debian.org> wrote: > On Thu, Nov 14, 2019 at 01:31:27PM -0500, Roberto C. Sánchez wrote: > > On Thu, Nov 14, 2019 at 05:19:03PM +0000, Holger Levsen wrote: > > > On Wed, Nov 13, 2019 at 08:24:55AM -0500, Roberto C. Sánchez wrote: > > > > > We usually mark affected CVE as <end-of-life> in data/CVE/list and > just > > > > > add the package to security-support-ended.deb8 in > > > > > debian-security-support. We then upload new versions of the package > > > > > periodically and announce it via DLA. I believe now is a good time > to do it. > > > > Thanks for the information. I will start working on it today. > > > > > > As any DD can commit to debian-security-support.git and also can upload > > > that package, just make sure to call it a team upload in d/changelog to > > > appease lintian and possibly other tools. > > > > > I had not yet seen this message so I already submitted a MR. Should I > > close that and make a direct commit? > > > > > And then it would be ideal to upload the package to unstable and then > > > file a SRM bug to update the package in stretch, in addition to > > > uploading to jessie. (Probably this should also result in a DLA, not > > > 100% sure though. Thoughts & comments definitly welcome.) > > > > > > > Looking at the previous updates, a DLA seems appropriate. I am in the > > process of drafting the text. > > > > > I believe it's fine if the version contraints (package version in > > > unstable higher than testing higher than stable higher than oldstable) > > > are temporarily not met, but I also believe it's important that they > are > > > in the long run & most of the time. > > > > > > If doing all this work is too much or tedious to you, please shout and > I > > > will be happy to finish this. Please just do at least the initial > > > change in git to security-support-ended.deb8. > > > > > If I close the MR and commit directly, is it then a simple matter of > > build and upload to unstable? That is, no other special steps are > > required? > > > Some additional follow-up: > > - Can I go ahead and mark the CVE in question as <end-of-life> in > data/CVE/list even before the update to debian-security-support is > complete? > - Any feedback on this proposed DLA text? > > Package : debian-security-support > Version : 2019.11.15~deb8u1 > > > debian-security-support, the Debian security support coverage checker, > has been updated in jessie. > > This marks the end of life of the libqb package in jessie. A recently > reported vulnerability against libqb which allows users to overwrite > arbitrary files via a symlink attack cannot be adequately addressed in > libqb in jessie. Upstream no longer supports this version and no > packages in jessie depend upon libqb, thus making it a leaf package. > > We recommend that if your systems or applications depend upon the libqb > package provided from the Debian archive that you upgrade your systems > to a more recent Debian release or find an alternate and up to date > source of libqb packages. > > > Regards, > > -Roberto > > -- > Roberto C. Sánchez > > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------