[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Review squeeze-lts exactimage/0.8.1-3+deb6u4


On Wed, 27 May 2015, Sven Eckelmann wrote:
> > In any case, I reviewed your debdiff and it looks good. Feel free to
> > proceed with the upload and the release of the DLA to
> > debian-backports-announce@lists.debian.org.
> > 
> > If you need sponsorship, please let us know.
> Thanks for all the information. I still have a small question:
> Is the debian-backports-announce@ mailing list moderated? The DLA announcement 
> went to this mailing list 7h ago and I got no feedback. Not for the first 
> unsigned mail (sorry about that but the ml should not accept it) and not for 
> the one signed with my DM key (PGP/MIME).

Bah, sorry, the good list was obviously
debian-lts-announce@lists.debian.org and not

Assuming you sent your mail to debian-lts-announce@lists.debian.org (and
it looks like so given the mail you attached), then you can contact
listmasters (listmaster@lists.debian.org in copy) to find out why the mail
did not get through.  Their advice is usually to resend the mail with an
inline PGP signature (i.e. without MIME encoding). Enigmail for instance
is known to generate problematic PGP/MIME...

(I use mutt with PGP/MIME without problem that said)

[ I leave the rest of the mail for the benefit of the listmasters ]

> The wiki page says [1] the mailing list is accepting valid signatures with DD 
> and DM keys. The mailing list page informs [2] the reader that only DD signed 
> messages are accepted. So I am currently unsure how to proceed. But I've 
> attached my mail in case someone wants to check if there is anything wrong 
> with the PGP/MIME signature.

> Date: Wed, 27 May 2015 13:55:56 +0200
> From: Sven Eckelmann <sven@narfation.org>
> To: debian-lts-announce@lists.debian.org
> Subject: [DLA 228-1] exactimage security update
> Message-ID: <6824467.bCIuEXgBhs@bentobox>
> Package        : exactimage
> Version        : 0.8.1-3+deb6u4
> CVE ID         : CVE-2015-3885
> Debian Bug     : 786785
> A vulnerability has been discovered in the ExactImage image manipulation 
> programs.
> CVE-2015-3885
>     Eduardo Castellanos discovered an Integer overflow in the dcraw version
>     included in ExactImage. This vulnerability allows remote attackers to
>     cause a denial of service (crash) via a crafted image.
> For the oldoldstable distribution (squeeze), these problems have been fixed in 
> version 0.8.1-3+deb6u4.
> For the oldstable, stable, and testing distributions, these problems will be 
> fixed soon.

Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Reply to: