[Pkg-openldap-devel] Bug#448644: Bug#448644: Bug#448644: CVE-2007-5708 remote denial of service

[Steve Langasek]

On Sun, Nov 04, 2007 at 07:15:46PM -0800, Russ Allbery wrote:

> > Hi,
> > attached is a proposal for an NMU.
> > It will be archived on:
> > http://people.debian.org/~nion/nmu-diff/openldap2.3-2.38-1_2.3.38-1.1.patch

> I'm not sure why we would do this rather than just package 2.3.39.
> Wouldn't the latter be a better idea for unstable?  (For the stable
> security release, of course, we should just cherry-pick the one fix,
> assuming it applies to the stable version, which I haven't checked.)

> Also, 2.4 is now officially released, so we should really switch to that
> ASAP so that we can get rid of 2.2.

I am GREATLY looking forward to this (btw, it's 2.1, not 2.2 that we're
stuck with right now :-).

> I'll send more mail about that later this week, though, since that's going
> to be a complex transition.  Upgrading to the upstream 2.3.39 release
> should be simple.

Also looking forward to this mail wrt the complexity of the transition - I
think I have a good handle on the library transition issues already, but if
there are server issues as well I remain ignorant of them.

On Mon, Nov 05, 2007 at 09:24:42AM -0800, Russ Allbery wrote:
> And yes, please do import 2.4 into Subversion -- that would be great!

> (Should we consider using an svn-buildpackage-friendly layout in
> Subversion for 2.4 so that we can use svn-upgrade to import new upstream
> versions?  Or possibly even enable merge-with-upstream and not store the
> upstream source in Subversion at all?)

I would like to see movement towards svn-buildpackage-friendliness.  I also
think that's preferable over merge-with-upstream, based on Joey Hess's past
blogging on the subject.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/