Your message dated Fri, 3 Jun 2005 16:39:26 +0200 with message-id <20050603143926.GJ12099@mails.so.argh.org> and subject line Please allow drupal 4.5.3-2 into sarge has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 3 Jun 2005 13:43:19 +0000

From bengen@debian.org Fri Jun 03 06:43:19 2005 Return-path: <bengen@debian.org> Received: from mail.kamp-dsl.de (dsl-mail.kamp.net) [195.62.99.42] by spohr.debian.org with smtp (Exim 3.35 1 (Debian)) id 1DeCSE-0005iY-00; Fri, 03 Jun 2005 06:43:18 -0700 Received: (qmail 12372 invoked by uid 513); 3 Jun 2005 13:43:21 -0000 Received: from 213.146.117.234 by dsl-mail (envelope-from <bengen@debian.org>, uid 89) with qmail-scanner-1.24 (clamdscan: 0.80/609. spamassassin: 2.60. Clear:RC:1(213.146.117.234):SA:0(-1.6/5.0):. Processed in 1.305859 secs); 03 Jun 2005 13:43:21 -0000 Received: from hilluzination.de (HELO paranoia) (hillu%kamp-dsl.de@213.146.117.234) by dsl-mail.kamp.net with SMTP; 3 Jun 2005 13:43:20 -0000 Received: from ataraxia ([192.168.1.251] helo=localhost.localdomain) by paranoia with esmtp (Exim 4.34) id 1DeCSA-0004dC-WB; Fri, 03 Jun 2005 15:43:15 +0200 Received: from bengen by localhost.localdomain with local (Exim 4.50) id 1DeCTv-0003vq-4r; Fri, 03 Jun 2005 15:45:03 +0200 To: debian-release@lists.debian.org, debian-security@lists.debian.org Cc: submit@bugs.debian.org Subject: Re: Please allow drupal 4.5.3-1 Mail-Copies-To: nobody In-Reply-To: <20050603120107.GB5280@heinrich.complete.org> (John Goerzen's message of "Fri, 3 Jun 2005 07:01:07 -0500") References: <87ll5tskf1.fsf@ataraxia.int.hilluzination.de> <200506011916.04838.ieure@debian.org> <20050603055550.GI5149@mauritius.dodds.net> <20050603061922.GU884@finlandia.infodrom.north.de> <20050603064823.GL5149@mauritius.dodds.net> <87psv3es34.fsf@ataraxia.int.hilluzination.de> <20050603120107.GB5280@heinrich.complete.org> From: Hilko Bengen <bengen@debian.org> Date: Fri, 03 Jun 2005 15:45:03 +0200 Message-ID: <87u0kfd068.fsf@ataraxia.int.hilluzination.de> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4 (Jumbo Shrimp, linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Delivered-To: submit@bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level:

Package: drupal Version: 4.5.2-0 Severity: critical Tags: security, sarge John Goerzen <jgoerzen@complete.org> writes:

On Fri, Jun 03, 2005 at 10:56:47AM +0200, Hilko Bengen wrote:

...

Steve Langasek <vorlon@debian.org> writes:

So, you are not accepting my drupal_4.5.3-1 (or -2) package into sarge because 4.5.3 fixes more than cited security issue?

Why are you not using the simple patch available at http://drupal.org/drupal-4.6.1

I had only been told that 4.5.3 which is supposed to fix some security issue had been released. Hoping that the release team would simply accept it into sarge, I just packaged that. BTW: Dries Buytaert, one of the main developers of Drupal, just told me that most of the other fixes in 4.5.3 are input checks. Moreover, the 4.5.3-2 package I uploaded also adds Vietnamese Debconf translations, which might qualify it for inclusion in Sarge. Again, there is _no_ added functionality over 4.5.2 in 4.5.3. I frankly don't see why the issue is still being discussed and casual comments are made about what a maintainer should do to "get it right". I'd rather not be responsible for stressing the security team nor the release team too much a few days before Sarge is going to be released. OTOH, I _have_ uploaded a package which fixes the security issue and I suppose I could just sit there and assume that this is ok until told otherwise. Cheers, -Hilko --------------------------------------- Received: (at 311817-done) by bugs.debian.org; 3 Jun 2005 14:39:34 +0000

From aba@not.so.argh.org Fri Jun 03 07:39:34 2005 Return-path: <aba@not.so.argh.org> Received: from neualius.turmzimmer.net [217.160.169.58] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DeDKg-0003w7-00; Fri, 03 Jun 2005 07:39:34 -0700 Received: from [195.60.122.97] (helo=metis.turmzimmer.net) by neualius.turmzimmer.net with esmtp (Exim 4.50) id 1DeDKe-0003xK-DM; Fri, 03 Jun 2005 16:39:32 +0200 Received: from eos.turmzimmer.net ([10.2.3.1]) by metis.turmzimmer.net with esmtp (Exim 4.50) id 1DeDKU-0000X2-Pp; Fri, 03 Jun 2005 16:39:22 +0200 Received: from aba by eos.turmzimmer.net with local (Exim 4.50) id 1DeDKZ-0004Rp-1O; Fri, 03 Jun 2005 16:39:27 +0200 Date: Fri, 3 Jun 2005 16:39:26 +0200 From: Andreas Barth <aba@not.so.argh.org> To: Hilko Bengen <bengen@debian.org> Cc: debian-release@lists.debian.org, 311817-done@bugs.debian.org Subject: Re: Please allow drupal 4.5.3-2 into sarge Message-ID: <20050603143926.GJ12099@mails.so.argh.org> Mail-Followup-To: Andreas Barth <aba@not.so.argh.org>, Hilko Bengen <bengen@debian.org>, debian-release@lists.debian.org, 311817-done@bugs.debian.org References: <87ll5tskf1.fsf@ataraxia.int.hilluzination.de> <878y1trsto.fsf@ataraxia.int.hilluzination.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <878y1trsto.fsf@ataraxia.int.hilluzination.de> X-Editor: Vim http://www.vim.org/ User-Agent: Mutt/1.5.9i Delivered-To: 311817-done@bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level:

* Hilko Bengen (bengen@debian.org) [050602 12:57]:

Hilko Bengen <bengen@debian.org> writes:

...

Just a few hours ago, the Drupal project has released version 4.5.3, a bugfix release which fixes a serious security bug. I have created and just uploaded a 4.5.3-1 package to unstable. Updated Debconf translations are the only additional changes over 4.5.2-3 which is the version in sarge.

The corresponding advisory from upstream can be found here: http://drupal.org/files/sa-2005-001/advisory.txt.

As I write this mail, I am uploading drupal 4.5.3-2 which adds Vietnamese translation that I received this morning. Please allow either -1 or -2 to go into sarge because of mentioned security fix.

hinted in. Cheers, Andi