Hi Based on the other discussion we have, I guess the verdict is "ignored" instead of no-dsa. :-)
// Ola On Sun, 10 May 2020 at 18:47, Utkarsh Gupta <utka...@debian.org> wrote: > > Hi Chris, > > On Sun, May 10, 2020 at 4:28 AM Chris Lamb <la...@debian.org> wrote: >> >> I will first your mail in full with the Git SHAs expanded to URIs of >> the diffs themselves: > > > I should've done them in the first place. Many thanks! <3 > >> I would definitely agree with your sentiment that this would be too >> invasive to backport as a patch. However, before going for no-dsa >> here, did you consider upgrading the entire package to a newer >> version? (Is it even compatible? Is this critical enough of a package? >> etc.) > > > Yeah, but I think it won't cut it. There are some dependency bumps, too. > The vulnerabilities in the MP4Parser were partially fixed by upgrading > thecom.googlecode:isoparser:1.1.22 dependency > toorg.tallison:isoparser:1.9.41.2. > Then they upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release. > They also upgraded openjson to 1.0.10, org.ow2.asm to 8.0.1, zstd-jni > to1.4.4-9, bouncycastle to 1.65, commons-lang3 to 3.10, lucene to 8.5.0 > andmockito to 3.3.3 as part of the 1.24.1 release. > > And I don't think it's a good idea to upgrade or backport the fix. > So I shall mark this as no-dsa <the fix is too invasive> for Jessie. > > > Best, > Utkarsh -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
