[drupal-devel] Bug#311817: marked as done (Please allow drupal 4.5.3-1)

Debian Bug Tracking System owner at bugs.debian.org
Fri Jun 3 14:53:55 UTC 2005

Your message dated Fri, 3 Jun 2005 16:39:26 +0200
with message-id <20050603143926.GJ12099 at mails.so.argh.org>
and subject line Please allow drupal 4.5.3-2 into sarge
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Received: (at submit) by bugs.debian.org; 3 Jun 2005 13:43:19 +0000
>From bengen at debian.org Fri Jun 03 06:43:19 2005
Return-path: <bengen at debian.org>
Received: from mail.kamp-dsl.de (dsl-mail.kamp.net) [] 
	by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
	id 1DeCSE-0005iY-00; Fri, 03 Jun 2005 06:43:18 -0700
Received: (qmail 12372 invoked by uid 513); 3 Jun 2005 13:43:21 -0000
Received: from by dsl-mail (envelope-from <bengen at debian.org>, uid 89) with qmail-scanner-1.24 
 (clamdscan: 0.80/609. spamassassin: 2.60.  
 Processed in 1.305859 secs); 03 Jun 2005 13:43:21 -0000
Received: from hilluzination.de (HELO paranoia) (hillu%kamp-dsl.de at
  by dsl-mail.kamp.net with SMTP; 3 Jun 2005 13:43:20 -0000
Received: from ataraxia ([] helo=localhost.localdomain)
	by paranoia with esmtp (Exim 4.34)
	id 1DeCSA-0004dC-WB; Fri, 03 Jun 2005 15:43:15 +0200
Received: from bengen by localhost.localdomain with local (Exim 4.50)
	id 1DeCTv-0003vq-4r; Fri, 03 Jun 2005 15:45:03 +0200
To: debian-release at lists.debian.org,  debian-security at lists.debian.org
Cc: submit at bugs.debian.org
Subject: Re: Please allow drupal 4.5.3-1
Mail-Copies-To: nobody
In-Reply-To: <20050603120107.GB5280 at heinrich.complete.org> (John Goerzen's
 message of "Fri, 3 Jun 2005 07:01:07 -0500")
References: <87ll5tskf1.fsf at ataraxia.int.hilluzination.de>
	<200506011916.04838.ieure at debian.org>
	<20050603055550.GI5149 at mauritius.dodds.net>
	<20050603061922.GU884 at finlandia.infodrom.north.de>
	<20050603064823.GL5149 at mauritius.dodds.net>
	<87psv3es34.fsf at ataraxia.int.hilluzination.de>
	<20050603120107.GB5280 at heinrich.complete.org>
From: Hilko Bengen <bengen at debian.org>
Date: Fri, 03 Jun 2005 15:45:03 +0200
Message-ID: <87u0kfd068.fsf at ataraxia.int.hilluzination.de>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4 (Jumbo Shrimp, linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: drupal
Version: 4.5.2-0
Severity: critical
Tags: security, sarge

John Goerzen <jgoerzen at complete.org> writes:

> On Fri, Jun 03, 2005 at 10:56:47AM +0200, Hilko Bengen wrote:
>> Steve Langasek <vorlon at debian.org> writes:
>> So, you are not accepting my drupal_4.5.3-1 (or -2) package into sarge
>> because 4.5.3 fixes more than cited security issue?
> Why are you not using the simple patch available at
> http://drupal.org/drupal-4.6.1

I had only been told that 4.5.3 which is supposed to fix some security
issue had been released. Hoping that the release team would simply
accept it into sarge, I just packaged that.

BTW: Dries Buytaert, one of the main developers of Drupal, just told
me that most of the other fixes in 4.5.3 are input checks. Moreover,
the 4.5.3-2 package I uploaded also adds Vietnamese Debconf
translations, which might qualify it for inclusion in Sarge.

Again, there is _no_ added functionality over 4.5.2 in 4.5.3. I
frankly don't see why the issue is still being discussed and casual
comments are made about what a maintainer should do to "get it right".

I'd rather not be responsible for stressing the security team nor the
release team too much a few days before Sarge is going to be released. 
OTOH, I _have_ uploaded a package which fixes the security issue and I
suppose I could just sit there and assume that this is ok until told


Received: (at 311817-done) by bugs.debian.org; 3 Jun 2005 14:39:34 +0000
>From aba at not.so.argh.org Fri Jun 03 07:39:34 2005
Return-path: <aba at not.so.argh.org>
Received: from neualius.turmzimmer.net [] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DeDKg-0003w7-00; Fri, 03 Jun 2005 07:39:34 -0700
Received: from [] (helo=metis.turmzimmer.net)
	by neualius.turmzimmer.net with esmtp (Exim 4.50)
	id 1DeDKe-0003xK-DM; Fri, 03 Jun 2005 16:39:32 +0200
Received: from eos.turmzimmer.net ([])
	by metis.turmzimmer.net with esmtp (Exim 4.50)
	id 1DeDKU-0000X2-Pp; Fri, 03 Jun 2005 16:39:22 +0200
Received: from aba by eos.turmzimmer.net with local (Exim 4.50)
	id 1DeDKZ-0004Rp-1O; Fri, 03 Jun 2005 16:39:27 +0200
Date: Fri, 3 Jun 2005 16:39:26 +0200
From: Andreas Barth <aba at not.so.argh.org>
To: Hilko Bengen <bengen at debian.org>
Cc: debian-release at lists.debian.org, 311817-done at bugs.debian.org
Subject: Re: Please allow drupal 4.5.3-2 into sarge
Message-ID: <20050603143926.GJ12099 at mails.so.argh.org>
Mail-Followup-To: Andreas Barth <aba at not.so.argh.org>,
	Hilko Bengen <bengen at debian.org>, debian-release at lists.debian.org,
	311817-done at bugs.debian.org
References: <87ll5tskf1.fsf at ataraxia.int.hilluzination.de> <878y1trsto.fsf at ataraxia.int.hilluzination.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <878y1trsto.fsf at ataraxia.int.hilluzination.de>
X-Editor: Vim http://www.vim.org/
User-Agent: Mutt/1.5.9i
Delivered-To: 311817-done at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no 

* Hilko Bengen (bengen at debian.org) [050602 12:57]:
> Hilko Bengen <bengen at debian.org> writes:
> > Just a few hours ago, the Drupal project has released version 4.5.3, a
> > bugfix release which fixes a serious security bug. I have created and
> > just uploaded a 4.5.3-1 package to unstable. Updated Debconf
> > translations are the only additional changes over 4.5.2-3 which is
> > the version in sarge.
> >
> > The corresponding advisory from upstream can be found here:
> > http://drupal.org/files/sa-2005-001/advisory.txt.
> As I write this mail, I am uploading drupal 4.5.3-2 which adds
> Vietnamese translation that I received this morning. Please allow
> either -1 or -2 to go into sarge because of mentioned security fix.

hinted in.


More information about the drupal-devel mailing list