Control: tags -1 -moreinfo Hi Jeremy,
On Tue, May 11, 2021 at 11:09 PM Jeremy Galindo <jgali...@datto.com> wrote: > They're awaiting confirmation from MITRE, but the upstream maintainers wanted > to be able to answer the question: > >> And what, in your opinion, will be the distributions wanting to do ? >> Either fix their current release version or upgrade to the latest one ? >> Will they want the individual patches or switch to the new tarball ? >> Rebasing the patches to an old version should be easy enough, but this >> could lead to some complexity in managing the update reports (Fedora >> and Ubuntu are not currently releasing the same version). Current Debian release is in a deep freeze state. Important and serious bug fixes are still accepted, but not other changes and especially not new upstream releases. Next stable Debian will be released with the ntfs-3g 2017.3.23AR.3 version. Can you provide patch(es) for this or should I do those? If there's sensitive information, we can continue in private until a coordinated security update. Please include the Security Team in the communication then. > On Tue, May 11, 2021 at 3:47 PM Salvatore Bonaccorso <car...@debian.org> > wrote: >> On Tue, May 11, 2021 at 12:00:40PM -0400, Jeremy Galindo wrote: >> > For CVE's pending from upstream, is everything already mirrored so upstream >> > fixes are applied in the next release? I'm asking because the upstream >> > maintainers are trying to identify how soon their fixes will be applied to >> > your packages. >> >> Can you be more specific, which CVEs are you referring to? Thanks Salvatore for the followup, the original mail landed in my spam folder and wouldn't see that for a day or two otherwise. Regards, Laszlo/GCS
