On 12/02/2019 15:44, Roberto C. Sánchez wrote: > On Tue, Feb 12, 2019 at 07:44:41AM +0530, Abhijith PA wrote: >> >> That was very stupid of me. I was working on CVE-2018-1000888 in >> php-pear and this ships via php5 in jessie. I didn't noticed php5 >> already entered dla-needed.txt and I went directly changing php-pear to >> php5. Anyway I release DLA for my upload. >> > No worries, we all make mistakes :-) > > It took me several tries to figure out why the 5.6.40 build failed after > incorporating your change, but I was able to determine that the change > introduced by your patch is now included upstream. I have an updated > 5.6.40 build ready and I was waiting on the assignment of CVEs by > upstream. > > I wonder if it would make more sense to go ahead with uploading 5.6.40 > and publish a revision to the DLA, or whether I should continue to wait > on the CVE assignments. Thoughts?
I would publish it now, saying in the DLA that CVE assignment is pending, see e.g. the new flatpak DSA. Then once the CVEs are assigned, you just add them to the DLA entry in data/DLA/list, and you're done. Cheers, Emilio