On jeu., 2014-06-19 at 03:49 +0000, Nick Phillips wrote: > While checking our procedures for tracking vulnerabilities in > non-Debian-provided packages, I noticed that python-soappy in wheezy has > a couple of outstanding vulns.
I guess you mean CVE-2014-3242 and CVE-2014-3243? Since they are public, discussion can (and should) open on the BTS, feel free to open a bug there (and tag it security). > I had a brief chat to Adam Barratt (SRM) about this on IRC as well, and > while not keen, he did seem willing to give the possibility the time of > day at least. He suggested filing a p-u bug with the relevant > information, but I thought I'd mail you guys first to see whether you'd > be inclined to agree with the solution and that doing so wouldn't be > treading on any toes. Hi, and thanks for the notice. Indeed, adding a new package to Wheezy doesn't look really good, but if it's actually the only option and the SRM are somehow ok with that, I guess we can go that road. > > DPMT guys - there's no big deal with this for sid, as defusedxml is > already available. Happy to NMU latest SOAPPy from pypi if desired. Or, > since I already have fixed packages here, I can equally happily STFU and > leave you all alone. Well, for sid you can just proceed with standard NMU practices, I guess. For Wheezy, we would need to wait for the new package to appear anyway. For Squeeze, we should just mark the package as unsupported. Regards, -- Yves-Alexis
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Python-modules-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
