Re: [Pkg-privacy-maintainers] mat bug #826101 in Wheezy (embeded images in PDFs)
- To: intrigeri <intrigeri@debian.org>
- Cc: Jonas Meurer <jonas@freesources.org>, julien.voisin@dustri.org, pkg-privacy-maintainers@lists.alioth.debian.org, debian-lts@lists.debian.org, team@security.debian.org
- Subject: Re: [Pkg-privacy-maintainers] mat bug #826101 in Wheezy (embeded images in PDFs)
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Tue, 11 Oct 2016 17:01:33 +0200
- Message-id: <[🔎] 20161011150133.62tsvuc3uvqn4otr@eldamar.local>
- Mail-followup-to: intrigeri <intrigeri@debian.org>, Jonas Meurer <jonas@freesources.org>, julien.voisin@dustri.org, pkg-privacy-maintainers@lists.alioth.debian.org, debian-lts@lists.debian.org, team@security.debian.org
- In-reply-to: <[🔎] 85lgxvukwh.fsf@boum.org>
- References: <5e8a6f01-cf19-aeb2-dda0-acab03f543b2@freesources.org> <85wpi4z86j.fsf@boum.org> <[🔎] 5b51922f-389e-cd74-7a7a-6c5154dc4c68@freesources.org> <[🔎] 85lgxvukwh.fsf@boum.org>
Hi intrigeri,
On Tue, Oct 11, 2016 at 07:31:42AM -0500, intrigeri wrote:
> Hi,
>
> Jonas Meurer:
> > Am 22.09.2016 um 09:48 schrieb intrigeri:
> > As you might have noticed: I finally uploaded mat 0.3.2-1+deb7u1 to
> > wheezy-security, disabling PDF support alltogether.
>
> Thanks!
>
> >> For Jessie (and wheezy-backports), I wanted to wait a bit first to
> >> give Julien (upstream) some time to fix the problem without disabling
> >> PDF support, and in a way that we can backport to (at least) Jessie.
> >> If there's no upstream fix available within a month from now, then
> >> I agree we should go ahead and do that in Jessie too. Julien, any ETA?
>
> > Given that Julien didn't reply to your mail yet and it doesn't seem like
> > a proper fix (e.g. a solution to anonymize metadata of embedded images
> > in PDFs) is underway, I suggest to go ahead with the dirty - but secure
> > - solution to disable PDF support at mat in Jessie as well.
>
> OK. I'd like to wait until the deadline I've set for Julien has been
> reached (that's in 11 days now), and then I can handle it either via
> DSA or jessie-pu, as the security team prefers.
Can you please address the issue by proposing an update via jessie-pu.
Thanks already and regards,
Salvatore
Reply to: