Re: Adam D. Barratt 2015-06-03 <1433354441.11603.12.ca...@adam-barratt.org.uk> > > It'd be nice if at least the 9.4 package would make it into the next > > point release, #786874 is pretty nasty. (In wheezy, it was fixed for > > 9.1 via a DSA update.) > > I have to admit that it's unclear to me why the 9.4 update for jessie > wasn't released via an updated DSA, rather than a > rare-as-hens-teeth(ish) p-u-freeze exception, given that the bug was > introduced via the security archive in the first place.
Hi Adam, the reasoning was that #786874 affects 9.1 even in the default install (because of the SSL cert symlinks installed in the data directory), so we cherry-picked the fixing upstream commit to release a -2 DSA because we didn't want to wait for the upstream release. For 9.4, the problem only manifests if you "manually" put unwritable files into the data directory, but that situation is also pretty common, like lost+found from mountpoints, or root-owned vim .swp files. Now upstream has released an updated version, including this fix, along with 3 other minor points. There is still a data-loss problem being worked on (which is half an old bug, and half an incomplete fix in the last releases (but not a regression)), so there will be another releases round in about two weeks :( That will probably be targeting jessie-updates. Re: Adam D. Barratt 2015-06-03 <1433358799.11603.15.ca...@adam-barratt.org.uk> > In the interests of getting this fixed, I've (slightly unhappily) > flagged the 9.4 package for acceptance. This is very much an exception, > please do not rely on it happening next time. :-) Thanks! It's pretty unlikely that this scenario (regression in DSA with re-release from upstream with yet more important fixes pending) will happen right around the freeze again, so no worries ;) > Given that we don't ship the affected code for 9.1 in Jessie, that will > get processed after the point release. Ok. Christoph -- c...@df7cb.de | http://www.df7cb.de/
signature.asc
Description: Digital signature
