Your message dated Sat, 23 Jan 2016 13:57:15 +0000
with message-id <[email protected]>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #805127,
regarding jessie-pu: package charybdis/3.4.2-4+b1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
805127: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805127
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu
Hi,
Charybdis is unfortunately in very bad shape in stable right now. There
was an oversight during the release process that made this bug not
appear as release critical:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768339
Yet because of this bug, charybdis is basically unusable with TLS
enabled (which is the default). The error message is obscure and it is
unlikely that anyone can fix this problem on their own without having a
strong intuition.
I have therefore made a small upload for the package on sid. It fixes
that issue, but also a minor security vulnerability that was also
unfixed in jessie (and wheezy):
https://tracker.debian.org/news/725820
I have talked with the security team and they agree that a DSA is not
necessary because of the workaround (and the fact that charybdis is
broken anyways). The CVE has been marked as no-dsa by the team here:
https://security-tracker.debian.org/tracker/CVE-2015-5290
So i would like to upload the -5 release to stable (jessie) directly. I
attached the debdiff between -4 and -5 to this mail.
Since upstream is not maintaining 3.3 anymore and the upgrade is
transparent, i would also suggest that -5 is uploaded to wheezy as well,
but i understand that would be quite a stretch (no pun intended).
Wheezy, as far as i know, is not affected by #768339 so is more stable,
but it *is* affected by the security vulnerability. The patch I
cherry-picked for -5 *seems* to apply to the wheezy version, but i don't
have an environment to test this right now.
Thanks for any feedback.
A.
-- System Information:
Debian Release: 8.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Version: 8.3
Hi,
The updates referred to in these bugs were included in today's 8.3
Jessie point release.
Regards,
Adam
--- End Message ---
