Comment 3 for bug 418008

It seems that Debian, on Agoust, made a security update on zope2.10, zope2.11 and zope-common.

zope2.10 (this package)

zope2.11 (2.11.4-1) unstable; urgency=high

   * New upstream release, fixes two vulnerabilities in the ZEO network
     protocol: CVE-2009-0668 and CVE-2009-0669. (closes: #540463)
   * Add support to start a particular instance to initscript.
   * Bump pre-depends on zope-common to 0.5.49 and build-depends on debhelper
     to 0.3.14 to use invoke-rc.d in maintainer scripts. (closes: #540158)
   * Set urgency=high as this upload fixes two serious bugs.

 -- Jonas Meurer <email address hidden> Sun, 09 Aug 2009 16:00:28 +0200

zope-common (0.5.49) unstable; urgency=high

   * add zope2.12 to known zope releases in dzhandle.
   * bump standards-version to 3.8.2, noch changes needed.
   * bump debhelper compat level to 6.
   * add russian debconf translation, thanks to Yuri Kozlov. (closes: #539466)
   * add spanish debconf translation, thanks to Fernando González de Requena.
     (closes: #539588)
   * use 'invoke-rc.d zopeZVER restart INSTANCE=<name>' to restart pending zope
     instances in DZRestartPendingInstances.run().
   * add Breaks: zope2.7, zope2.8, zope2.9, zope2.10 (<< 2.10.9), zope2.11
     (<< 2.11.4) for that reason.
   * set urgency=high for that reason.

 -- Jonas Meurer <email address hidden> Mon, 10 Aug 2009 14:44:40 +0200

Ubuntu, on karmic, synced only zope2.10 breaking the dependences on zope-common, this bug report.

For lucid I suggest a sync/merge with upstream.

For karmic?
A SRU with the right dependences closes this bug, but doesn't solve the bug mentioned on changelog.

How we proceed in this case?