Hi Sebastiaan,
On Thu, Nov 12, 2015 at 10:31:55PM +0100, Sebastiaan Couwenberg wrote:
> Dear Security Team,
>
> The patch to fix multiple vulnerabilities identified by American Fuzzy
> Lop reported in #781228 caused a regressed as reported in the GDAL issue
> tracker:
>
> https://trac.osgeo.org/gdal/ticket/6200
>
> The change to fix this regression was included in freexl (1.0.1-1~exp1),
> but not in the security updates for
> jessie (1.0.0g-1+deb8u1) & wheezy (1.0.0b-1+deb7u1).
>
> I've prepared updates to fix this regression for jessie & wheezy, see
> the attached debdiffs.
>
> Are these regression fixes appropriate for upload to
> {wheezy,jessie}-security or should they be uploaded to proposed-updates
> instead?
Since the regression was introduced via a DSA, we might address this
regression trough af follow-up DSA:
> diff -Nru freexl-1.0.0b/debian/changelog freexl-1.0.0b/debian/changelog
> --- freexl-1.0.0b/debian/changelog 2015-07-19 12:21:54.000000000 +0200
> +++ freexl-1.0.0b/debian/changelog 2015-11-12 22:24:56.000000000 +0100
> @@ -1,3 +1,9 @@
> +freexl (1.0.0b-1+deb7u3) UNRELEASED; urgency=medium
[...]
> diff -Nru freexl-1.0.0g/debian/changelog freexl-1.0.0g/debian/changelog
> --- freexl-1.0.0g/debian/changelog 2015-07-19 13:45:38.000000000 +0200
> +++ freexl-1.0.0g/debian/changelog 2015-11-12 22:10:04.000000000 +0100
> @@ -1,3 +1,9 @@
> +freexl (1.0.0g-1+deb8u3) UNRELEASED; urgency=medium
s/UNRELEASED/wheezy-security/ and urgency=high set or respectively
jessie-security for the second one.
With the above changes please go ahead with your upload to
security-master.
Thanks for your work and pinging us about the regression.
Regards,
Salvatore
Attachment:
signature.asc
Description: Digital signature