Re: Wheezy update of icu?
On Wed, Sep 07, 2016 at 08:25:36AM -0400, Roberto C. Sánchez wrote:
> On Wed, Sep 07, 2016 at 11:07:16AM +0200, Bálint Réczey wrote:
> > I have not found however the proposed fix on the list thus I did not
> > know if you used the upstream fix.
> > I think it would be a good idea to send the patch to the list before the
> > final upload.
> Good point. I have attached the patch to this email. I intend to
> upload tonight or tomorrow (the last few days have been quite busy and I
> am playing catch up).
> Description: fix for null termination in uloc_acceptLanguageFromHTTP
> Origin: upstream, http://bugs.icu-project.org/trac/changeset/39109
So, you've identified the upstream fix for CVE-2016-6293 and why does
that not get commited to the security tracker?
That really sucks. LTS development almost fully relies on the
security tracker, so why don't you submit generic vulnerability information
you come across?