Hello Roberto, welcome on board! Am 08.05.2016 um 05:34 schrieb Roberto C. Sánchez: > Hi All, > > I'm still "in-training" and I thought I would attempt to prepare an > upload of the icu package for wheezy. > > The package is here: https://people.debian.org/~roberto/ > dsc - https://people.debian.org/~roberto/icu_4.8.1.1-12+deb7u4.dsc > debdiff - https://people.debian.org/~roberto/icu_4.8.1.1-12+deb7u3_deb7u4.diff I couldn't download the package with dget -x because the original tarball is currently missing, so I used the debdiff. > I would appreciate a review of the package by someone knowledgable > and experienced with LTS support to make sure I handled it correctly. > Please read on for details of the steps I took. > > Based on the information I found on the security tracker, there are > three vulnerabilities affecting icu in wheezy: CVE-2015-2632, > CVE-2015-4844, and CVE-2016-0494. > > I pulled the patch for CVE-2015-2632 from the icu package in unstable, > which has been fixed. That's a sensible approach. In this case the patch applied cleanly for the version in Wheezy but sometimes you have to be more careful when the code is considerably different. > I pulled the patch for CVE-2015-4844 from the upstream jdk8u project > (based on the commit reference in openjdk-8's debian/changelog). I > confirmed that this fix matched what was done by upstream in their > subversion repository. > > I pulled the patch for CVE-2016-0494 from the upstream jdk8u project > (based on the commit reference in openjdk-8's debian/changelog). I > attempted to confirm this fix in upstream's subversion repository, but > it appears to not have been fixed upstream yet. Antoine (anarcat) fixed this issue for Squeeze LTS and he also left some comments at https://ssl.icu-project.org/trac/ticket/12020 He also changed the runConfigure script and his patch for CVE-2016-0494 looks different to me. Perhaps you should contact him (or he will simply respond to this message because he is subscribed too), discuss this patch with him and ask him why his approach contains more changes than the original upstream commit at http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/f556d4c82ef1 > I built the package in a wheezy chroot, signed the resulting package, > and uploaded it (along with the debdiff between the prior version and my > updated package) to the above location. That's fine. You don't have to upload a new revision to people.debian.org but it is a useful approach if you want to get more feedback for your patches. You could also: * Check the output of the test suite (if it exists) * Write your own tests or ask upstream for advice how to test the issue * Contact upstream and ask for code reviews * Try the reproducer with the old and new version (if it exists) * Install the package, do some smoke testing and try to verify if the update didn't introduce any regressions Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature