Question on libarchive/3.7.4-2 and CVE-2025-1632 patch

To: debian-devel@lists.debian.org
Subject: Question on libarchive/3.7.4-2 and CVE-2025-1632 patch
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 26 Apr 2025 11:36:46 +0200
Message-id: <[🔎] aAypLtALx-exXDWH@eldamar.lan>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <E1u8biI-009pgy-Ip@fasolo.debian.org>
References: <E1u8biI-009pgy-Ip@fasolo.debian.org>

Hi Peter,

On Sat, Apr 26, 2025 at 09:20:46AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Sat, 26 Apr 2025 11:34:57 +0300
> Source: libarchive
> Architecture: source
> Version: 3.7.4-2
> Distribution: unstable
> Urgency: high
> Maintainer: Peter Pentchev <roam@debian.org>
> Changed-By: Peter Pentchev <roam@debian.org>
> Closes: 1103494
> Changes:
>  libarchive (3.7.4-2) unstable; urgency=high
>  .
>    * Acknowledge NMU; thanks, Salvatore!
>    * Point to the debian/trixie branch in the gbp.conf file since
>      the master branch in the repository already contains changes that
>      did not make it in time for the Trixie freeze.
>    * Add the CVE-2025-1632 patch. Closes: #1103494
>    * Add the year 2025 to my debian/* copyright notice.

Was there a reason not to pick the upstream commited
https://github.com/libarchive/libarchive/commit/8ce2aca6c7d6f004f860c6619cb6cc98d51ac69a
?

Regards,
Salvatore

Reply to:

Follow-Ups:
- Re: Question on libarchive/3.7.4-2 and CVE-2025-1632 patch
  - From: Peter Pentchev <roam@ringlet.net>

Prev by Date: Re: Associating .texi files to the media type text/prs.texi?
Next by Date: Re: Question on libarchive/3.7.4-2 and CVE-2025-1632 patch
Previous by thread: Re: "ftp:" URLs in debian/copyright files
Next by thread: Re: Question on libarchive/3.7.4-2 and CVE-2025-1632 patch
Index(es):
- Date
- Thread