Hi László, hi Ondřej, On Do 31 Dez 2015 19:01:33 CET, László Böszörményi (GCS) wrote:
On Thu, Dec 31, 2015 at 10:04 AM, Ondřej Surý <ondrej@debian.org> wrote:I have a git mirror[1] (git cvsimport) of upstream CVS and right now it's a tad bit confusing which patches are relevant to those CVEs.I've packaged 4.0.6, fixed two CVEs and two other vulnerabilities that don't have an id. However CVE-2015-8668 is not yet fixed by upstream as I see.I will have more time cherry-picking the patches next week, so if somebody starts the work (even for unstable), I really won't mind. In fact it would be much appreciated.I'm going to finish my investigations tomorrow even if my employer counts on me from 6am. Will do the upload and other fixes can come in later as upstream commit those.Also feel free to prepare Debian LTS update, I will share relevant patches, but we'll have to prepare security update for jessie and wheezy (+ tiff3 for wheezy), so feel free to take care about this in Debian LTS yourself.I can do the Wheezy + Jessie updates as well. But I've accepted Raphaël's advice not to do LTS security work so I follow Ondřej here: you can do the Squeeze LTS update yourself.
I (with my LTS team hat on) just signed up for looking at fixing tiff in squeeze-lts.
@László: once you finished your research tomorrow, could you send a short summary with your findings (or even upload a new package version to unstable)?
Thanks+>Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de
Attachment:
pgp4ZGHhwRvSm.pgp
Description: Digitale PGP-Signatur