"Adam D. Barratt" <a...@adam-barratt.org.uk> wrote: Hi,
> How big is the diff from prototype 1.4.0 (as used in the current > package) to 1.6.1? The bug report mentions that patches fixing the two Don't know, I haven't even looked. There were other issues before those two I believe, and they never got fixed. I know that the web interface works just fine with 1.6.1 so upgrading to 1.6.1 is not an issue. > CVEs are available, although I wasn't entirely clear as to whether they > apply to 1.4.0 or not. My bet is they don't; 1.4.0 is pretty ancient now. > The bug log also mentions that you were planning to upload a fixed > package to oldstable-security; is that no longer the case? Re-reading the report, it doesn't actually ask for a security upload. I have no preference for security vs. opu, although I don't think this issue is worth a security upload given mt-daapd is not a web app, which reduces the scope of the vulnerabilities considerably IMO. JB. -- Julien BLACHE <jbla...@debian.org> | Debian, because code matters more Debian & GNU/Linux Developer | <http://www.debian.org> Public key available on <http://www.jblache.org> - KeyID: F5D6 5169 GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
