[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fixing CVE-2017-5617 (SSRF) for svgsalamander in wheezy

On 02/03/2017 11:06 AM, Guido Günther wrote:
> On Fri, Feb 03, 2017 at 10:07:55AM +0100, Sebastiaan Couwenberg wrote:
>> Dear LTS Team,
>> Vincent Privat of the JOSM development team have provided a fix for
>> CVE-2017-5617 (#853134).
>> I've included a patch with his changes in the Debian package, and
>> uploaded it to unstable, and backported the patch for the jessie &
>> wheezy packages.
>> Affected versions:
>>  * jessie: 0~svn95-1
>>  * wheezy: 0~svn95-1
>> Fixed versions:
>>  * jessie: 0~svn95-1+deb8u1
>>  * wheezy: 0~svn95-1+deb7u1
>> Are these changes OK for upload to security-master?
> Thanks for looking into this!
> Looks good from the LTS point of view (wheezy-security)! Feel free to
> upload. Since you did not cc the security team (security@debian.org) for
> jessie-security I assume you sent a separate mail?

Correct, see:


> Do you want to send the DLA as well or should I handle it? 

I'm a little short on time as I'm leaving for FOSDEM in an hour, so if
you can handle the DLA that'd be great. Thanks in advance!

> Note that you can only upload the orig.tar.gz once (either for
> wheezy-security or jessie-security) since both use the same upstream
> versions.

I built the jessie revision with -sa which was just uploaded to
security-master, so I'll build the wheezy revision without it.

Kind Regards,


 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

Reply to: