Re: Fixing CVE-2017-5617 (SSRF) for svgsalamander in wheezy
On 02/03/2017 11:06 AM, Guido Günther wrote:
> On Fri, Feb 03, 2017 at 10:07:55AM +0100, Sebastiaan Couwenberg wrote:
>> Dear LTS Team,
>>
>> Vincent Privat of the JOSM development team have provided a fix for
>> CVE-2017-5617 (#853134).
>>
>> I've included a patch with his changes in the Debian package, and
>> uploaded it to unstable, and backported the patch for the jessie &
>> wheezy packages.
>>
>> Affected versions:
>>
>> * jessie: 0~svn95-1
>> * wheezy: 0~svn95-1
>>
>> Fixed versions:
>>
>> * jessie: 0~svn95-1+deb8u1
>> * wheezy: 0~svn95-1+deb7u1
>>
>> Are these changes OK for upload to security-master?
>
> Thanks for looking into this!
>
> Looks good from the LTS point of view (wheezy-security)! Feel free to
> upload. Since you did not cc the security team (security@debian.org) for
> jessie-security I assume you sent a separate mail?
Correct, see:
https://lists.debian.org/debian-java/2017/02/msg00009.html
> Do you want to send the DLA as well or should I handle it?
I'm a little short on time as I'm leaving for FOSDEM in an hour, so if
you can handle the DLA that'd be great. Thanks in advance!
> Note that you can only upload the orig.tar.gz once (either for
> wheezy-security or jessie-security) since both use the same upstream
> versions.
I built the jessie revision with -sa which was just uploaded to
security-master, so I'll build the wheezy revision without it.
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
Reply to: