Re: Fixing CVE-2017-5617 (SSRF) for svgsalamander in wheezy
On Fri, Feb 03, 2017 at 10:07:55AM +0100, Sebastiaan Couwenberg wrote:
> Dear LTS Team,
> Vincent Privat of the JOSM development team have provided a fix for
> CVE-2017-5617 (#853134).
> I've included a patch with his changes in the Debian package, and
> uploaded it to unstable, and backported the patch for the jessie &
> wheezy packages.
> Affected versions:
> * jessie: 0~svn95-1
> * wheezy: 0~svn95-1
> Fixed versions:
> * jessie: 0~svn95-1+deb8u1
> * wheezy: 0~svn95-1+deb7u1
> Are these changes OK for upload to security-master?
Thanks for looking into this!
Looks good from the LTS point of view (wheezy-security)! Feel free to
upload. Since you did not cc the security team (firstname.lastname@example.org) for
jessie-security I assume you sent a separate mail?
Do you want to send the DLA as well or should I handle it?
Note that you can only upload the orig.tar.gz once (either for
wheezy-security or jessie-security) since both use the same upstream