Hi All, I'm still "in-training" and I thought I would attempt to prepare an upload of the icu package for wheezy. The package is here: https://people.debian.org/~roberto/ dsc - https://people.debian.org/~roberto/icu_4.8.1.1-12+deb7u4.dsc debdiff - https://people.debian.org/~roberto/icu_4.8.1.1-12+deb7u3_deb7u4.diff I would appreciate a review of the package by someone knowledgable and experienced with LTS support to make sure I handled it correctly. Please read on for details of the steps I took. Based on the information I found on the security tracker, there are three vulnerabilities affecting icu in wheezy: CVE-2015-2632, CVE-2015-4844, and CVE-2016-0494. I pulled the patch for CVE-2015-2632 from the icu package in unstable, which has been fixed. I pulled the patch for CVE-2015-4844 from the upstream jdk8u project (based on the commit reference in openjdk-8's debian/changelog). I confirmed that this fix matched what was done by upstream in their subversion repository. I pulled the patch for CVE-2016-0494 from the upstream jdk8u project (based on the commit reference in openjdk-8's debian/changelog). I attempted to confirm this fix in upstream's subversion repository, but it appears to not have been fixed upstream yet. I built the package in a wheezy chroot, signed the resulting package, and uploaded it (along with the debdiff between the prior version and my updated package) to the above location. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature