[tryton-debian] Security fix for safe_eval in Tryton server
Mathias Behrle
mathiasb at m9s.biz
Fri Oct 3 09:43:37 UTC 2014
* Mathias Behrle: " Re: Security fix for safe_eval in Tryton server" (Wed, 1
Oct 2014 13:22:14 +0200):
> * Raphael Hertzog: " Re: Security fix for safe_eval in Tryton server" (Wed, 1
> Oct 2014 00:28:23 +0200):
>
> Hi Raphael,
>
> > On Tue, 30 Sep 2014, Mathias Behrle wrote:
> > > > BTW, what's the status for squeeze? The version there is even older but
> > > > as we officially support LTS, it would be nice if you could provide me
> > > > an update for that version too (in case it also applies).
> > >
> > > As written in my original mail I didn't plan an upload for oldstable.
> > >
> > > First because I really don't expect any user to run Tryton 1.6 any more.
> > > Second it would be a stripped down version of the patches (only the one
> > > for safe_eval), because ast is new in Python 2.6 (and squeeze has 2.5).
> >
> > That's fine.
> >
> > > If you estimate nevertheless, that the package should be done, I will
> > > provide it.
> >
> > Yes, please. I agree with you that probably nobody is using it but if it's
> > not too much work, I believe it's good to live up to our new LTS promise.
> >
> > The only alternative solution is to mark the package as unsupported in
> > that release (via debian-security-support) and I'd rather avoid that.
>
> Here comes the debdiff attached. Thanks for uploading.
Hi Raphael, hi Florian,
the fix for CVE-2014-6633 [1] caused a regression on the creation of strict
sequences [2]. What is the best way to prepare the packages with the fix for
[3]?
- just doing another package for security.debian.org (it seems they are not yet
published?)
* tryton-server (2.2.4-1+deb7u2) stable-security; urgency=high
* tryton-server (1.6.1-2+squeeze3) oldstable-security; urgency=high
- or preparing a package for proposed-updates
* tryton-server (2.2.4-1+deb7u2) stable; urgency=medium
* tryton-server (1.6.1-2+squeeze3) oldstable; urgency=medium
Cheers,
Mathias
[1] https://bugs.tryton.org/issue4155
[2] https://bugs.tryton.org/issue4228
[3] http://codereview.tryton.org/5681002
--
Mathias Behrle
PGP/GnuPG key availabable from any keyserver, ID: 0x8405BBF6
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/tryton-debian/attachments/20141003/aae804f8/attachment.sig>
More information about the tryton-debian
mailing list