The reason for picking the Android fix was that the Android version was similar to the one in wheezy. The upstream fix was against a much more recent with quite significantly changed code base (essentially a complete rewrite). Also the Android fix was much smaller and corrected both problems, making the work easier. The upstream fix also include some code restructuring that made it hard to tell how to backport considering the significance of the changed code base.
Jose (maintainer) and maybe debian security team should probably pick the patches you refer to as that versaion is similar to the one the upstream correcrion was done on.
I'll have a look at the Android test program.
Was this an answer to your questions?
Sent from a phoneOn Thu, 02 Jun 2016, Ola Lundqvist wrote:
> What I did was to manually apply the correction made for android.
Why did you pick the android fix when the security tracker also lists
commits on the upstream VCS?
> I have not tested the specific problem. I trust that Android developers
> have done that.
They have added a test program for this, not sure if you can build it/use
it to validate the fixed code.
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/