Re: Jessie update of simplesamlphp?
On Wed, May 29, 2019 at 10:16:56AM +, Mike Gabriel wrote: > HI Thijs, > > On Di 28 Mai 2019 18:17:39 CEST, Thijs Kinkhorst wrote: > > > On Tue, May 28, 2019 16:01, Chris Lamb wrote: > > > Mike Gabriel wrote: > > > > > > > The Debian LTS team would like to fix the security issues which are > > > > currently open in the Jessie version of simplesamlphp: > > > > > > Which CVE is/was this for? I am just looking at: > > > > > > https://security-tracker.debian.org/tracker/source-package/simplesamlphp > > > > > > ... and not seeing anything relevant. Is it still vulnerable? If so, we > > > should remove it from dla-needed.txt, naturally. > > > > As the maintainer I have triaged all open issues and see no reason for > > releasing a jessie update at this point. > > There are some no-dsa issues that should be easy to fix (CVE-2018-7711, > CVE-2016-9955, CVE-2016-9814). > > In the LTS team, we sometimes--when time allows it--work on those, too. From > your message above, I get that you take care of simplesamlphp in jessie > yourself and rather would not want to have us work on the above CVEs, right? If for a given CVE the desired outcome is to not fix oldstable/stable (which is often the right outcome if the risk of regressions and work burdened on the people deploying the updates doesn't outweigh the security fix), then those CVEs should be tagged in the Security Tracker. Cheers, Moritz
Re: Jessie update of simplesamlphp?
Hi again, On Mi 29 Mai 2019 12:16:56 CEST, Mike Gabriel wrote: [...] I will remove the package from dla-needed.txt again for now. I just saw that Chris Lamb already did that earlier. Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpOLbSb7bDnG.pgp Description: Digitale PGP-Signatur
Re: Jessie update of simplesamlphp?
HI Thijs, On Di 28 Mai 2019 18:17:39 CEST, Thijs Kinkhorst wrote: On Tue, May 28, 2019 16:01, Chris Lamb wrote: Mike Gabriel wrote: The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of simplesamlphp: Which CVE is/was this for? I am just looking at: https://security-tracker.debian.org/tracker/source-package/simplesamlphp ... and not seeing anything relevant. Is it still vulnerable? If so, we should remove it from dla-needed.txt, naturally. As the maintainer I have triaged all open issues and see no reason for releasing a jessie update at this point. There are some no-dsa issues that should be easy to fix (CVE-2018-7711, CVE-2016-9955, CVE-2016-9814). In the LTS team, we sometimes--when time allows it--work on those, too. From your message above, I get that you take care of simplesamlphp in jessie yourself and rather would not want to have us work on the above CVEs, right? I will remove the package from dla-needed.txt again for now. Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgptvQm2jZhXm.pgp Description: Digitale PGP-Signatur
Re: Jessie update of simplesamlphp?
On Tue, May 28, 2019 16:01, Chris Lamb wrote: > Mike Gabriel wrote: > >> The Debian LTS team would like to fix the security issues which are >> currently open in the Jessie version of simplesamlphp: > > Which CVE is/was this for? I am just looking at: > > https://security-tracker.debian.org/tracker/source-package/simplesamlphp > > ... and not seeing anything relevant. Is it still vulnerable? If so, we > should remove it from dla-needed.txt, naturally. As the maintainer I have triaged all open issues and see no reason for releasing a jessie update at this point. Cheers, Thijs
Re: Jessie update of simplesamlphp?
Mike Gabriel wrote: > The Debian LTS team would like to fix the security issues which are > currently open in the Jessie version of simplesamlphp: Which CVE is/was this for? I am just looking at: https://security-tracker.debian.org/tracker/source-package/simplesamlphp … and not seeing anything relevant. Is it still vulnerable? If so, we should remove it from dla-needed.txt, naturally. Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Jessie update of simplesamlphp?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of simplesamlphp: https://security-tracker.debian.org/tracker/source-package/simplesamlphp Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of simplesamlphp updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
