-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Johan,
On 13-11-15 11:46, Sebastiaan Couwenberg wrote:
On 13-11-15 06:45, Salvatore Bonaccorso wrote:
On Thu, Nov 12, 2015 at 10:31:55PM +0100, Sebastiaan Couwenberg
wrote:
Dear Security Team,
The patch to fix multiple vulnerabilities identified by
American Fuzzy Lop reported in #781228 caused a regressed as
reported in the GDAL issue tracker:
https://trac.osgeo.org/gdal/ticket/6200
The change to fix this regression was included in freexl
(1.0.1-1~exp1), but not in the security updates for jessie
(1.0.0g-1+deb8u1) & wheezy (1.0.0b-1+deb7u1).
I've prepared updates to fix this regression for jessie &
wheezy, see the attached debdiffs.
Are these regression fixes appropriate for upload to
{wheezy,jessie}-security or should they be uploaded to
proposed-updates instead?
Since the regression was introduced via a DSA, we might address
this regression trough af follow-up DSA:
s/UNRELEASED/wheezy-security/ and urgency=high set or
respectively jessie-security for the second one.
With the above changes please go ahead with your upload to
security-master.
Thanks for your work and pinging us about the regression.
Thanks for the quick feedback,
I've set the distribution and urgency as appropriate for security
uploads and uploaded both to security-master.
We also need this regression fix uploaded for Ubuntu trusty & vivid.
Shall I also do those, or can you take care of the uploads for Ubuntu?
Please note that besides afl-vulnerabilitities-regression.patch we may
also want to include 32bit-multiplication-overflow.patch in the
update, this issue hasn't been fixed in Ubuntu yet.