In the security FAQ:
http://www.debian.org/security/faq
The most important guideline when making a new package that fixes
a security problem is to make as few changes as possible. Our
users and developers are relying on the exact behaviour of a
release once it is made, so any change we make can possibly break
someone's system. This is especially true in case of libraries:
make sure you never change the Application Program Interface (API)
or Application Binary Interface (ABI), no matter how small the
change is.
Bob Proulx wrote:
> > Package : xloadimage
> > Vulnerability : missing input sanitising, integer overflow
> > CVE ID : CAN-2005-0638 CAN-2005-0639
> > Debian Bug : 298926
>
> But the latest security upload changed the dependencies. Obviously
> that was unintentional. But it is still a bad thing.
>
> From:
>
> Depends: libc6 (>= 2.2.4-4), libjpeg62, libpng2(>=1.0.12), libtiff3g, xlibs (>> 4.1.0), zlib1g (>= 1:1.1.3)
>
> To:
>
> Depends: libc6 (>= 2.2.4-4), libjpeg62, libpng3, libtiff3g, xlibs (>> 4.1.0), zlib1g (>= 1:1.1.4)
>
> This means that an 'apt-get upgrade' will not satisfy the dependencies
> of libpng3 and a dist-upgrade is required.
>
> Can a new upload be made that fixes this problem?
>
> Thanks
> Bob
Attachment:
signature.asc
Description: Digital signature