Hi Sebastiaan, On Thu, Nov 12, 2015 at 10:31:55PM +0100, Sebastiaan Couwenberg wrote: > Dear Security Team, > > The patch to fix multiple vulnerabilities identified by American Fuzzy > Lop reported in #781228 caused a regressed as reported in the GDAL issue > tracker: > > https://trac.osgeo.org/gdal/ticket/6200 > > The change to fix this regression was included in freexl (1.0.1-1~exp1), > but not in the security updates for > jessie (1.0.0g-1+deb8u1) & wheezy (1.0.0b-1+deb7u1). > > I've prepared updates to fix this regression for jessie & wheezy, see > the attached debdiffs. > > Are these regression fixes appropriate for upload to > {wheezy,jessie}-security or should they be uploaded to proposed-updates > instead? Since the regression was introduced via a DSA, we might address this regression trough af follow-up DSA: > diff -Nru freexl-1.0.0b/debian/changelog freexl-1.0.0b/debian/changelog > --- freexl-1.0.0b/debian/changelog 2015-07-19 12:21:54.000000000 +0200 > +++ freexl-1.0.0b/debian/changelog 2015-11-12 22:24:56.000000000 +0100 > @@ -1,3 +1,9 @@ > +freexl (1.0.0b-1+deb7u3) UNRELEASED; urgency=medium [...] > diff -Nru freexl-1.0.0g/debian/changelog freexl-1.0.0g/debian/changelog > --- freexl-1.0.0g/debian/changelog 2015-07-19 13:45:38.000000000 +0200 > +++ freexl-1.0.0g/debian/changelog 2015-11-12 22:10:04.000000000 +0100 > @@ -1,3 +1,9 @@ > +freexl (1.0.0g-1+deb8u3) UNRELEASED; urgency=medium s/UNRELEASED/wheezy-security/ and urgency=high set or respectively jessie-security for the second one. With the above changes please go ahead with your upload to security-master. Thanks for your work and pinging us about the regression. Regards, Salvatore
Attachment:
signature.asc
Description: Digital signature