On Mon, Sep 17, 2018 at 09:07:38PM +0000, Mike Gabriel wrote: > I have looked at the changes between 3.1.33 (just uploaded to unstable) and > 3.1.31 (in stable). They are awful. Read the below... > > 15:42 < sunweaver> Hi all, I have just looked into > https://security-tracker.debian.org/tracker/CVE-2018-16831 > 15:43 < sunweaver> even for stretch, it is pretty much impossible to > backport the patch series (at least for patches, all containing tons of > regexp with > multitudes of slashes and backslashes). > 15:43 < sunweaver> totall insane... > 15:44 < sunweaver> in fact, my recommendation for jessie and stretch would > be (with my maintainer hat _and_ LTS team hats on at once): bring the latest > upstream release to jessie/stretch. > 15:44 < sunweaver> In jessie, we need to upgrade smarty-lexer as well for > that. > 15:46 < sunweaver> the 4 patches we needed at least are these... > 15:47 < sunweaver> > https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe > 15:47 < sunweaver> > https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8 > 15:47 < sunweaver> > https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50 > 15:47 < sunweaver> > https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1 > 15:48 < sunweaver> and these four sit on top of this... > 15:48 < sunweaver> > https://github.com/smarty-php/smarty/commit/f7a53162058de410a35a9848e6d0795d7c252aaf > 15:48 < sunweaver> and 10+ other commits. > 15:48 < sunweaver> all tackling the same code passage. > 15:49 < sunweaver> @all: can we reach consensus that latest upstream release > would be best for jessie LTS and stretch (OT here). > > The pile of patches is so awful, I strongly advise getting latest > smarty-lexer and latest smarty3 from unstable into stable with thorough > testing of dependent application (gosa, FusionDirectory, slbackup-php, ...). > Most of them are maintained by me and I have running setups for testing this > (except 1 package in Debian IIRC).
If you have reasonable test coverage of the reverse deps, we can do that. But let's wait for a few more days to spot eventual regressions reported in unstable first. Also, make sure to coordinate the release of the DLA with the DSA, otherwise we end up with a situation where oldstable has a higher version number than stable. Cheers, Moritz