Dear Lucas, maybe you should look into the git repository of the package instead of assuming what I might mean. Because like written, I specificly mean CVE-2017-10965 and CVE-2017-10966 which are fixed in the package that I uploaded to stretch-proposed and was approved (see #870659). It is also found in the corresponding bugreport for those IDs (#867598).
So, no, I'm not "probably talking about CVE-2017-5393 e CVE-2017-5394". In case you don't find it through the package metadata, the link to the git commitdiff is here: http://git.deb.at/w/pkg/irssi.git/commitdiff/41f84e8 Enjoy, Rhonda * Lucas Kanashiro <[email protected]> [2017-09-05 13:44:29 CEST]: > Hi Rhonda, > > The 2 CVEs that I marked as no DSA, security team did the same for > stretch: CVE-2017-10965 e CVE-2017-1066. Probably you are talking about > CVE-2017-5393 e CVE-2017-5394, maybe CVE-2017-5356. Those were marked as > no DSA by another member of the team (LTS and/or security), so I did not > intend to override someone else decision. If other members of the team > agree with that I can promptly prepare an upload for these issues > targeting Jessie and wheezy. > > I am not here avoiding do things or trying to make your life difficult. > I am on your side. If I am able to do that I will. > > Cheers, > > On 2017-09-05 08:06, Rhonda D'Vine wrote: > > Hi, > > > > erm, those two are already in the stretch-proposed-updates, it > > shouldn't be much of a burden to carry that over to jessie and then > > wheezy. If you really think of leaving those out while they are readily > > available this looks kinda strange to me, and is just wasted efford > > because I will have to push them there if you don't. > > > > So long, > > Rhonda > > > > > > * Lucas Kanashiro <[email protected]> [2017-09-04 18:54:45 CEST]: > >> Hi, > >> > >> After review the 4 CVEs [0] that affect irssi in wheezy I intend to follow > >> the Security Team and mark the CVE-2017-10965 and CVE-2017-10966 as no-DSA > >> and fix the another two, CVE-2017-9468 and CVE-2017-9469. I've prepared an > >> upload for wheezy-security based on the two patches provided by the > >> Security Team to fix the mentioned CVEs in jessie, the debdiff is attached. > >> > >> If someone has a different idea in mind share with me please. > >> > >> Cheers. > >> > >> [0] https://security-tracker.debian.org/tracker/source-package/irssi > >> > >> > >> 2017-08-31 8:02 GMT-03:00 Lucas Kanashiro <[email protected]>: > >> > >> > Hi Rhonda, > >> > > >> > Do not worry, I can handle that for you, wheezy and jessie. Should I send > >> > a debdiff to you for revision? > >> > > >> > Thanks for your fast reply. > >> > > >> > Cheers. > >> > > >> > > >> > Em 31 de ago de 2017 05:04, "Rhonda D'Vine" <[email protected]> escreveu: > >> > > >> > Hi, > >> > > >> > there is no update in jessie yet for that, and I try to do such things > >> > top-down. I still believe that the priority should be on that instead > >> > of on the LTS release, but I understand that that doesn't get payment. > >> > > >> > I'm still quite busy here, and the issue is not that big of one, but if > >> > you want to prepare an wheezy update before I can find the time to > >> > tackle it pretty please also do a jessie one right ahead too, otherwise > >> > it looks kinda skew and gives a false impression of your intentions. > >> > > >> > Enjoy, > >> > Rhonda > >> > > >> > > >> > * Lucas Kanashiro <[email protected]> [2017-08-30 22:42:27 > >> > CEST]: > >> > > Hi all, > >> > > > >> > > Any news about this? Will maintainers take care of irssi CVEs in > >> > > wheezy? > >> > > > >> > > As Antoine said, irssi is one of the packages in our radar. I will wait > >> > an > >> > > answer until the end of the week, otherwise I'll prepare an upload > >> > > based > >> > on > >> > > patches in jessie and stretch. > >> > > > >> > > Cheers. > >> > > > >> > > > >> > > 2017-06-27 15:33 GMT-03:00 Antoine Beaupré <[email protected]>: > >> > > > >> > > > On 2017-06-09 10:22:37, Rhonda D'Vine wrote: > >> > > > > Dear Ola, > >> > > > > > >> > > > > this is on my board. The issue isn't that pressing, and I want to > >> > fix > >> > > > > it for stretch and jessie too, and only do the update for wheezy > >> > after > >> > > > > those got approved (which I expect). If it won't be approved for > >> > > > > stretch and jessie there is quite little sense to invest to fix it > >> > just > >> > > > > for wheezy. :) > >> > > > > > >> > > > > At least it won't get tackled by the security team, so I don't see > >> > much > >> > > > > of a pressure that the LTS team should put it high on its priority, > >> > > > > there are probably more pressuring things to fix. > >> > > > > >> > > > Hi Rhonda! > >> > > > > >> > > > Just to let you know, it's not high priority, but it's still on our > >> > > > dashboard. :) LTS issues are prioritized by how many people have the > >> > > > affected packages installed, and irssi is one of the packages that > >> > > > have > >> > > > "votes". Considering it's a remote DOS, I still believe it's worth > >> > > > fixing. > >> > > > > >> > > > We are happy, of course, to wait for you to make the update if you > >> > still > >> > > > plan on doing so, now that updates trickled down in stretch/jessie. > >> > > > Do > >> > > > let us know, however, if you want the LTS team to take care of it for > >> > > > wheezy. > >> > > > > >> > > > Thanks! > >> > > > > >> > > > A. > >> > > > -- Fühlst du dich mutlos, fass endlich Mut, los | Fühlst du dich hilflos, geh raus und hilf, los | Wir sind Helden Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang Fühlst du dich haltlos, such Halt und lass los |
