Hi Spamassassin (and a few other packages) are handled a little differently compared to most packages in Debian.
I'd advise that we go for the latest release. The only reason I see why we would not, would be if we introduce some major backwards compatibility issue. // Ola On Fri, 31 Jan 2020 at 19:14, Noah Meyerhans <[email protected]> wrote: > On Fri, Jan 31, 2020 at 05:16:53PM +0100, Matus UHLAR - fantomas wrote: > > > and as spamassassin has been upstream version bumped in Debian jessie > > > LTS before, I am asking for your opinion, if you'd rather recommend > > > cherry-picking the fixes (which I haven't been able to identify yet in > > > upstream SVN) or simply upstream version bump spamassassin in jessie > LTS > > > once more. > > > > > > @LTS team: sharing your feedback / opinions will be much appreciated, > too. > > > > ... and I discussed this with some people on spamassassin mailing list. > > > > > > quoting one mail[1]: > > > > Key to the issue is I fail to see how the highly intrusive security work > > done for 3.4.3 can possibly be backported. > > > > My recommendation remains a strong: upgrade to 3.4.4. > > That's always their recommendation. Yet the fixes for the current CVEs > amount to less than 100 lines of diff against 3.4.3, including context. > > I haven't looked into applying these changes to 3.4.2. If somebody > wants to take this on, they're at > > > https://salsa.debian.org/debian/spamassassin/blob/buster-security/debian/patches/CVE-2020-1930 > > and > > > https://salsa.debian.org/debian/spamassassin/blob/buster-security/debian/patches/CVE-2020-1931 > > noah > > -- --- Inguza Technology AB --- MSc in Information Technology ---- | [email protected] [email protected] | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
