On Sun, May 26, 2019 at 09:24:30PM +0200, Moritz Mühlenhoff wrote: > On Mon, May 06, 2019 at 04:19:33AM +0000, tony mancill wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA512 > > > > Format: 1.8 > > Date: Sun, 05 May 2019 19:57:45 -0700 > > Source: jetty9 > > Architecture: source > > Version: 9.4.18-1 > > Distribution: experimental > > Urgency: medium > > Maintainer: Debian Java Maintainers > > <pkg-java-maintain...@lists.alioth.debian.org> > > Changed-By: tony mancill <tmanc...@debian.org> > > Closes: 928444 > > Changes: > > jetty9 (9.4.18-1) experimental; urgency=medium > > . > > * Team upload. > > * New upstream release > > - Addresses CVE-2019-10241, CVE-2019-10247 (Closes: #928444) > > What's the plan for unstable/buster?
Hi Moritz, Good question! I uploaded the new version to experimental so users had at least one option within Debian for addressing those CVEs, but I haven't looked into what it would take to backport just the CVE patches to 9.4.15. Are we deep enough into the freeze that it is reasonable to go ahead and upload to unstable? (I'm never sure how to judge these things.) For buster, t-p-u would have a quick turn around, but there are a number of upstream changes between 9.4.15 and 9.4.18 [1], and I don't have a good sense for the risk trade-off between the new version and the backport. Since I haven't handled any of the jetty9 uploads, I would like to defer to Emmanuel to see if he has a preference. Thank you, tony [1] https://salsa.debian.org/java-team/jetty9/blob/be3f955ab42b5612e1022667216f8453812f5277/VERSION.txt#L1-43
signature.asc
Description: PGP signature