[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Regression caused by fix for Bug#781228: freexl: Multiple vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Salvatore,

On 13-11-15 06:45, Salvatore Bonaccorso wrote:
> On Thu, Nov 12, 2015 at 10:31:55PM +0100, Sebastiaan Couwenberg
> wrote:
>> Dear Security Team,
>> 
>> The patch to fix multiple vulnerabilities identified by American
>> Fuzzy Lop reported in #781228 caused a regressed as reported in
>> the GDAL issue tracker:
>> 
>> https://trac.osgeo.org/gdal/ticket/6200
>> 
>> The change to fix this regression was included in freexl
>> (1.0.1-1~exp1), but not in the security updates for jessie
>> (1.0.0g-1+deb8u1) & wheezy (1.0.0b-1+deb7u1).
>> 
>> I've prepared updates to fix this regression for jessie & wheezy,
>> see the attached debdiffs.
>> 
>> Are these regression fixes appropriate for upload to 
>> {wheezy,jessie}-security or should they be uploaded to
>> proposed-updates instead?
> 
> Since the regression was introduced via a DSA, we might address
> this regression trough af follow-up DSA:
> 
>> diff -Nru freexl-1.0.0b/debian/changelog
>> freexl-1.0.0b/debian/changelog --- freexl-1.0.0b/debian/changelog
>> 2015-07-19 12:21:54.000000000 +0200 +++
>> freexl-1.0.0b/debian/changelog	2015-11-12 22:24:56.000000000
>> +0100 @@ -1,3 +1,9 @@ +freexl (1.0.0b-1+deb7u3) UNRELEASED;
>> urgency=medium
> [...]
>> diff -Nru freexl-1.0.0g/debian/changelog
>> freexl-1.0.0g/debian/changelog --- freexl-1.0.0g/debian/changelog
>> 2015-07-19 13:45:38.000000000 +0200 +++
>> freexl-1.0.0g/debian/changelog	2015-11-12 22:10:04.000000000
>> +0100 @@ -1,3 +1,9 @@ +freexl (1.0.0g-1+deb8u3) UNRELEASED;
>> urgency=medium
> 
> s/UNRELEASED/wheezy-security/ and urgency=high set or respectively 
> jessie-security for the second one.
> 
> With the above changes please go ahead with your upload to 
> security-master.
> 
> Thanks for your work and pinging us about the regression.

Thanks for the quick feedback,

I've set the distribution and urgency as appropriate for security
uploads and uploaded both to security-master.

Kind Regards,

Bas

- -- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJWRb+TAAoJEGdQ8QrojUrxw2YP/AlkVUhIavJr6P6X7+NZvH7C
tZhqZXR0sanAqAef7H/tiJXrZwN5E0BE0L9ojy2K8cKgh6SXCu+KoeRMz8ct8gLE
St7IiiA3ARr5D7omGZIfaMs28DD0EmaElCsVBOncNdwz6WdcZObJ7yJxFLq+v1OA
aoiAQrvBge3u0dWQj+bO4PtUOdXegMqQMFyih0B8VeYvrQMPDpBPh1JuxzWYa7l5
tV6wKAmOrywedFWz5g52js8SfFWImMtV1xQDIQnxmuRlt94lViDBnKg2sbLhZOpQ
T9E9vJXUYouQifmeW2Co0rpb2Fs+VmdxIlCOLXVauROK4jJbS3mcKajqSTLHvCA+
b/qo2DEJqsjgQGKkYhemjVb2DDDYQenqk8nuyVzM6IzuqWNk9y+KholzfX0l1c/P
M0IWUoCNJyylN7qIGoQCou6nV6Tvmqkna+qizqIH6iNFrQ4J0/jbLP3hyMLPZMXc
vb/1pjjKTcENnW5evKmlAdJJ6ArGy1URAWVsMtpNIqPzRk2wV/HtR9w0x72IXzvw
gi1qqmsU08GfSFvWwwvz0zwYoL3AbhTXzkE2KxUkxz6aek9i4r96y6ueHxxnK3EE
zJVhQZ2HM7uoOQ0BcT1ZL7hKulOmw7lKTjNj4rDtRULJqY12bqV73SNIFDvbHoTl
pd6YVaOwwZJpFqu/cSSc
=jv9e
-----END PGP SIGNATURE-----


Reply to: