1. Forum
  2. Usenet
  3. LINUX.DEBIAN.MAINT.EMACSE

  • Re: Accepted org-mode 9.7.5+dfsg-1 (source) into unstable

    From Salvatore Bonaccorso@21:1/5 to Debian FTP Masters on Tue Jun 25 09:50:01 2024
    Hi Nicholas,

    On Tue, Jun 25, 2024 at 03:04:42AM +0000, Debian FTP Masters wrote:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    Format: 1.8
    Date: Mon, 24 Jun 2024 22:43:31 -0400
    Source: org-mode
    Architecture: source
    Version: 9.7.5+dfsg-1
    Distribution: unstable
    Urgency: medium
    Maintainer: Debian Emacsen team <[email protected]>
    Changed-By: Nicholas D Steeves <[email protected]>
    Closes: 1074136
    Changes:
    org-mode (9.7.5+dfsg-1) unstable; urgency=medium
    .
    * New upstream release that resolves CVE-2024-39331 (Closes: #1074136).
    * Rebase quilt series onto this release:
    - Drop 10-shebang.patch (unused)
    - Drop 20-links-unescaping.patch (unused)
    - Drop 0002-default-to-xprintidle.patch (merged upstream)
    * Migrate to debhelper-compat 13.
    * Declare Rules-Requires-Root: no.
    * Override "package-does-not-install-examples" and provide justification in
    debian/source/lintian-overrides.
    * Update my copyright years.
    * Declare Standards-Version: 4.7.0 (no changes required).

    Thanks for this upload. FYI, have uploaded some minutes ago now as
    well a corresponding version for bullseye-security to security-master.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Nicholas D Steeves@21:1/5 to Salvatore Bonaccorso on Fri Jun 28 00:20:02 2024
    Hi Salvatore,

    Salvatore Bonaccorso <[email protected]> writes:

    On Tue, Jun 25, 2024 at 03:04:42AM +0000, Debian FTP Masters wrote:
    org-mode (9.7.5+dfsg-1) unstable; urgency=medium
    .
    * New upstream release that resolves CVE-2024-39331 (Closes: #1074136). [snip]

    Thanks for this upload. FYI, have uploaded some minutes ago now as
    well a corresponding version for bullseye-security to security-master.


    Thank you! As for bookworm, I'm unhappy with the security tracker
    status of "ignored". Would you please ACK an upgrade of the empty
    package's emacs dependency to ( >= emacs_fixed_version )? That way the metadata would ensure that it's fixed. Feel free to do it yourself, if
    you'd prefer, but I have not been ignoring the state of bookworm, so
    want users to see "fixed", and feel safe, rather than see "ignored" and
    wonder about apathy in the face of scary vulnerabilities.

    I also received a bug report about how bookworm's org-mode-doc shadows
    the docs provided by emacs-common-non-dfsg. A similar empty package,
    plus ( >= emacs-common-non-dfsg ) would fix that.

    Looking forward to hearing what you think,
    Nicholas

    -----BEGIN PGP SIGNATURE-----

    iQJEBAEBCgAuFiEE4qYmHjkArtfNxmcIWogwR199EGEFAmZ95DwQHHN0ZW5AZGVi aWFuLm9yZwAKCRBaiDBHX30QYd5iEACSHIU8d4drGJOTtI8yHcosaHwR6hWFllOh 6Dl7mBZfcz/jsfMyq69hDUlPmtuOh6Mk9Vv2G/P8F5g2pCwU4N23wUsLr7CtzW8l 0DtHIYmVWrLBar0kQYaFwuGaWl3hzfqp5GTGgY+aGoFqhL3AvbwoGYbuC8D58RSu BnG1ZndZDcrRLvOuKvhFL923N0Qxy1Ooi5y6nFAmxdSDDuUSzo+uvDCIon7+I1Po RAyfhfZrgliqtl4hkuBOC8S2GFSdJ40qMNHFZ82+qm6U9q+XHvp92MH9IDK3EFA7 iIuTZ+CT6jvXc3yv8R6hfHKloGXIrH5VurFkE13iqlmA+CqjxFtGZlvpXGVR6oew YyfIhImu3ib4/cEeIxN3WBUGHl+8+CVn+1oVpVdZmC3X/ZYr+KqOCadK9L6UvBiU +GTatyR2jrtLDc4t3XBmwEXPBYNEn8kbwHH6zkJ/LFBnOqodoNHhO5nOYNLPmd0b fB266ttX0A/1PWBhufpGVhrbqfBGuxCDWvuP6FJPI1K5bcI4LyWMThjOmvIN/wA0 QpLZOJvnQNzZi+nFJz3pJn2gTiZUeCyeulvDUyBhOcpeusw9J3uqVXXqe5vHdSCU jmT8AdiUgdJ2IP6hADH2XaFHcfxWtipZKQDh3ucwlv8A9BpbzZ4776N8UMWn9EtD
    4hVTMlnd/Q==
    =vjAt
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Salvatore Bonaccorso@21:1/5 to Nicholas D Steeves on Sun Jun 30 14:50:01 2024
    Hi Nicholas,

    On Thu, Jun 27, 2024 at 06:14:20PM -0400, Nicholas D Steeves wrote:
    Hi Salvatore,

    Salvatore Bonaccorso <[email protected]> writes:

    On Tue, Jun 25, 2024 at 03:04:42AM +0000, Debian FTP Masters wrote:
    org-mode (9.7.5+dfsg-1) unstable; urgency=medium
    .
    * New upstream release that resolves CVE-2024-39331 (Closes: #1074136). [snip]

    Thanks for this upload. FYI, have uploaded some minutes ago now as
    well a corresponding version for bullseye-security to security-master.


    Thank you! As for bookworm, I'm unhappy with the security tracker
    status of "ignored". Would you please ACK an upgrade of the empty
    package's emacs dependency to ( >= emacs_fixed_version )? That way the metadata would ensure that it's fixed. Feel free to do it yourself, if
    you'd prefer, but I have not been ignoring the state of bookworm, so
    want users to see "fixed", and feel safe, rather than see "ignored" and wonder about apathy in the face of scary vulnerabilities.

    I admit, the state might be confusing, but it's tracking the source
    package, thus ignored with the attached reason. (In fact we are
    pondering if we can/should introduce a substate of unfixed for such
    cases where no binary package are affected, we cannot use the usual
    unimportant here, see tracker documentation, because of the severity
    would affect the source package as whole).

    I think users are cofused about the state mostly using comvercial
    security scanner thinking the security-tracker exposes information
    about the binary packages, which is not true.

    Hope this clarifies things up for you?

    I also received a bug report about how bookworm's org-mode-doc shadows
    the docs provided by emacs-common-non-dfsg. A similar empty package,
    plus ( >= emacs-common-non-dfsg ) would fix that.

    This indeed might go in with an upcoming point release but is out of
    scope for a security update.

    Looking forward to hearing what you think,
    Nicholas

    Thanks for all your work, and regards
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)