Hi LTS team
I have checked two of the pluxml issues
CVE-2020-18184
This vulnerability is questioned upstream. The "vulnerability" is that a
user that can edit themes can update a template that allow that user to
execute arbitrary code. However the complaint is that there are plenty of
documentati
hi,
today two packages were unclaimed for LTS:
- slirp (Thorsten Alteholz)
- spice-vdagent (Abhijith PA)
and none for ELTS.
Noone claimed too many packages.
Finally there four two DLAs which have been reserved but not yet been published:
- DLA 2494-1 (14 Dec 2020) (linux)
- DLA 2490-1 (10 Dec 20
Thanks Ola and Emilio both for the helpful pointers.
Regards,
-Roberto
On Tue, Dec 15, 2020 at 12:30:17PM +0100, Emilio Pozuelo Monfort wrote:
> On 15/12/2020 02:16, Roberto C. Sánchez wrote:
> > I am curious if there is a policy or best practice for how to handle a
> > package update containing
Hi,
During the last month I have spent 22.75h on LTS working on:
- thunderbird security updates
- libproxy security update
- security-tracker improvements
- firefox-esr security update
- drupal7 announcements
- lts meeting
- postgresql-9.6 announcement
- xorg-server security update
- preparation
On 15/12/2020 02:16, Roberto C. Sánchez wrote:
I am curious if there is a policy or best practice for how to handle a
package update containing both a regression fix and also a fix for a new
vulnerability.
If such a thing is not advisable or permissible, then is it best to
handle the regression
On Tue, Dec 15, 2020 at 07:20:20AM +0100, Ola Lundqvist wrote:
> Make a regular DLA with a note that it also contained a regression fix.
that.
> Alternatively we issue two DLAs referring to the same software version.
please try to avoid that, it doubles the work for quite some users. (those
who