On Fri, Sep 08, 2006 at 05:03:06PM +0200, Lionel Elie Mamane wrote: > On Thu, Sep 07, 2006 at 08:02:06PM +0200, Florian Weimer wrote: >> * Martin Schulze:
>>> Imho, it's more useful to upload 2.1.5-8sarge4 and only bump the >>> version number to get the new version built for all architectures into >>> the archive. >> While you are at it, you could also include this patch: >> CVE-2006-3636. Fixes for various cross-site scripting issues. Discovery by >> Moritz Naumann and most of the repair work done by Mark Sapiro (with some >> additional work by Barry). > As far as I understand the policy listed on > http://release.debian.org/stable/3.1/3.1r3/, this would require a > DSA. Does the security team plan on doing a DSA on this if I prepare a > package, or does the stable release team grant me an exception to the > policy to prepare -8sarge4 with this patch? > If I get an answer (CCed to [EMAIL PROTECTED], not only to > [EMAIL PROTECTED]) within two hours, I'll > prepare a package today (Friday 8 September). I must go away now, but I've prepared packages for a security update; they are at http://people.debian.org/~lmamane/mailman/ . -- Lionel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
