[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fixing CVE-2017-5617 (SSRF) for svgsalamander in wheezy

On Fri, Feb 03, 2017 at 10:07:55AM +0100, Sebastiaan Couwenberg wrote:
> Dear LTS Team,
> 
> Vincent Privat of the JOSM development team have provided a fix for
> CVE-2017-5617 (#853134).
> 
> I've included a patch with his changes in the Debian package, and
> uploaded it to unstable, and backported the patch for the jessie &
> wheezy packages.
> 
> Affected versions:
> 
>  * jessie: 0~svn95-1
>  * wheezy: 0~svn95-1
> 
> Fixed versions:
> 
>  * jessie: 0~svn95-1+deb8u1
>  * wheezy: 0~svn95-1+deb7u1
> 
> Are these changes OK for upload to security-master?

Thanks for looking into this!

Looks good from the LTS point of view (wheezy-security)! Feel free to
upload. Since you did not cc the security team (security@debian.org) for
jessie-security I assume you sent a separate mail?

Do you want to send the DLA as well or should I handle it? 

Note that you can only upload the orig.tar.gz once (either for
wheezy-security or jessie-security) since both use the same upstream
versions.

Cheers,
 -- Guido
Reply to: