On Mon, 5 Mar 2018 17:18:00 +0530 Pirate Praveen <prav...@debian.org> wrote:
> On ഞായര്‍ 04 മാർച്ച് 2018 10:29 വൈകു, Moritz Mühlenhoff wrote:
> > We're now almost two months in after the upstream security
> > release. If this still isn't ready, that's a sign to me
> > that we can' reasonably support it, so the next best option
> > is to end-of-life it and eventually ask for it's removal
> > from stretch.
> >
> > Cheers,
> >         Moritz
> >
> I will ask upstream help in backporting and we can decide based on their
> response.

I will attach a debdiff tomorrow with the CVEs we already backported.
And also will try to respond quicker in case of future CVEs.

CVE-2017-0923 seems to be not affecting 8.13 as this feature was
introduced only in 9.1

CVE-2017-0927 is affecting only an optional component of gitlab
(continuous deployment), while still good to be able to fix it, I don't
think it should result in a removal.

I'm yet to hear back from upstream about their help in fixing this last CVE.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to