In the security FAQ: http://www.debian.org/security/faq The most important guideline when making a new package that fixes a security problem is to make as few changes as possible. Our users and developers are relying on the exact behaviour of a release once it is made, so any change we make can possibly break someone's system. This is especially true in case of libraries: make sure you never change the Application Program Interface (API) or Application Binary Interface (ABI), no matter how small the change is. Bob Proulx wrote: > > Package : xloadimage > > Vulnerability : missing input sanitising, integer overflow > > CVE ID : CAN-2005-0638 CAN-2005-0639 > > Debian Bug : 298926 > > But the latest security upload changed the dependencies. Obviously > that was unintentional. But it is still a bad thing. > > From: > > Depends: libc6 (>= 2.2.4-4), libjpeg62, libpng2(>=1.0.12), libtiff3g, xlibs (>> 4.1.0), zlib1g (>= 1:1.1.3) > > To: > > Depends: libc6 (>= 2.2.4-4), libjpeg62, libpng3, libtiff3g, xlibs (>> 4.1.0), zlib1g (>= 1:1.1.4) > > This means that an 'apt-get upgrade' will not satisfy the dependencies > of libpng3 and a dist-upgrade is required. > > Can a new upload be made that fixes this problem? > > Thanks > Bob
Attachment:
signature.asc
Description: Digital signature