Hi, On Thu, Sep 26, 2019 at 04:32:58PM -0400, Boyuan Yang wrote: > X-Debbugs-CC: debian-secur...@lists.debian.org
Adding now explicity the team alias. > 在 2019-09-23一的 17:52 +0200,Gunnar Hjalmarsson写道: > > It may be worth mentioning that Ubuntu's security team has disabled > > CVE-2019-14822.patch in the stable releases for now. > > (With my Debian Input Method Team member hat on) > > While we are still waiting for an upstream fix, I think having security flaw > might be better than broken, at least in Sid. Maybe we could revert the > problematic CVE fix for now? Of course it would be best if anyone can come up > with a patch that fixes both CVE-2019-14822 and the usability issue for Qt5 > apps. > > I'm also interested in the attitude of Security Team towards the broken ibus > in buster-security. We are aware of it, but to my understanding the condidtions how this is happending are right now investigated. We discussed this quickly when we saw Ubuntu did revert the fix, and questioned if we want to follow the revert from Ubuntu, but opted to monitor the progress, and hold it back for now. I see you are involved in the triage, so I'm actually hopefull we can resolve the regression soonish without need ot reverting the CVE fix. I as well pinged Simon, who found the security issue, if he can have a look at the current regression if he has ideas. Thanks for your work, fwiw! Regards, Salvatore