Re: libonig/5.9.1-1+deb7u1 (CVE-2017-922[4-9])
Hi Jörg,
On Thu, May 25, 2017 at 1:23 PM, Jörg Frings-Fürst
<debian@jff-webhosting.net> wrote:
> Hello Vincent,
>
> I have a bugfix release ready for a review.
>
> My changes:
>
> libonig (5.9.1-1+deb7u1) wheezy-security; urgency=high
>
> * New debian/patches/0500-CVE-2017-922[4-9].patch:
> - Cherrypicked from upstream to correct:
> + CVE-2017-9224 (Closes: #863312)
> + CVE-2017-9226 (Closes: #863314)
> + CVE-2017-9227 (Closes: #863315)
> + CVE-2017-9228 (Closes: #863316)
> + CVE-2017-9229 (Closes: #863318)
> * debian/control:
> - Add myself as maintainer.
>
> Build with pdebuild are ok. The test with the newest lintian has a lot
> of warnings.
>
> The package is uploaded to mentors[1]. The debdiff is attached.
>
> Please can you review it?
In your upload to mentors.d.n, why has the source tarball been changed
and versioned as if libonig was a native package (it's not)? Also, if
I'm not mistaken, it doesn't look like your CVE patch is actually
applied when I attempt to build your package.
Have you updated dla-needed.txt, obtained a DLA id and prepared an
announcement for debian-lts-announce, as described in [1]?
Regards,
Vincent
[1] https://wiki.debian.org/LTS/Development
Reply to: