Dear security team, On Thu, Mar 09, 2017 at 07:20:40PM +0000, Adam D. Barratt wrote: > On Thu, 2017-03-02 at 09:50 +0000, Holger Levsen wrote: > > On Thu, Mar 02, 2017 at 09:12:34AM +0100, Petter Reinholdtsen wrote: > > > Usertags: pu > > > > > > The sitesummary package in stable is affected by one RC bug causing all > > > clients to fail to submit data to the collector, and thus breaking the > > > service SiteSummary is supposed to provide (collect data about > > > machines). The problem is triggered by the recent update of Apache. > > [...] > > > I would like to update the stable version of sitesummary to fix this > > > bug. It affect Debian Edu, but also all other users of SiteSummary in > > > Jessie. Are you OK with me uploading a package with this change? How > > > quickly is it possible to get this change into Jessie? > > > > (this would normally take severeal weeks or months, until the next jessie > > point release will happen, which AFAIK is not yet planned. IOW: date is > > unknown.) > > > > as this regression was introduced by DSA-3796, wouldnt it be appropriate to > > update sitesummary via jessie-security as well? > > Have either of you asked the Security Team about that?
no, we haven't yet. So, #852623 is about sitesummary being broken due to the fix for CVE-2016-8743 and while #852623 has been fixed in sid and stretch, we would also like to fix #852623 in sitesummary in jessie and stable. So at first, we thought to go via proposed-updates, but as you can see Adam suggested to go via stable-security (and LTS I supose) - what do you think? Going via security would be much nicer as this would fix this in the real world much sooner…! -- cheers, Holger
signature.asc
Description: Digital signature