Re: Fixing CVE-2017-5617 (SSRF) for svgsalamander in wheezy
On 02/03/2017 11:06 AM, Guido Günther wrote:
> On Fri, Feb 03, 2017 at 10:07:55AM +0100, Sebastiaan Couwenberg wrote:
>> Dear LTS Team,
>> Vincent Privat of the JOSM development team have provided a fix for
>> CVE-2017-5617 (#853134).
>> I've included a patch with his changes in the Debian package, and
>> uploaded it to unstable, and backported the patch for the jessie &
>> wheezy packages.
>> Affected versions:
>> * jessie: 0~svn95-1
>> * wheezy: 0~svn95-1
>> Fixed versions:
>> * jessie: 0~svn95-1+deb8u1
>> * wheezy: 0~svn95-1+deb7u1
>> Are these changes OK for upload to security-master?
> Thanks for looking into this!
> Looks good from the LTS point of view (wheezy-security)! Feel free to
> upload. Since you did not cc the security team (email@example.com) for
> jessie-security I assume you sent a separate mail?
> Do you want to send the DLA as well or should I handle it?
I'm a little short on time as I'm leaving for FOSDEM in an hour, so if
you can handle the DLA that'd be great. Thanks in advance!
> Note that you can only upload the orig.tar.gz once (either for
> wheezy-security or jessie-security) since both use the same upstream
I built the jessie revision with -sa which was just uploaded to
security-master, so I'll build the wheezy revision without it.
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1