Re: libonig/5.9.1-1+deb7u1 (CVE-2017-922[4-9])
On Fri, May 26, 2017 at 12:04 AM, Jörg Frings-Fürst
> Hi Vincent,
> first thanks for your review.
> Am Donnerstag, den 25.05.2017, 22:50 -0700 schrieb Vincent Cheng:
>> Hi Jörg,
>> On Thu, May 25, 2017 at 1:23 PM, Jörg Frings-Fürst
>> <email@example.com> wrote:
>> > Hello Vincent,
>> > I have a bugfix release ready for a review.
>> > My changes:
>> > libonig (5.9.1-1+deb7u1) wheezy-security; urgency=high
>> > * New debian/patches/0500-CVE-2017-922[4-9].patch:
>> > - Cherrypicked from upstream to correct:
>> > + CVE-2017-9224 (Closes: #863312)
>> > + CVE-2017-9226 (Closes: #863314)
>> > + CVE-2017-9227 (Closes: #863315)
>> > + CVE-2017-9228 (Closes: #863316)
>> > + CVE-2017-9229 (Closes: #863318)
>> > * debian/control:
>> > - Add myself as maintainer.
>> > Build with pdebuild are ok. The test with the newest lintian has a lot
>> > of warnings.
>> > The package is uploaded to mentors. The debdiff is attached.
>> > Please can you review it?
>> In your upload to mentors.d.n, why has the source tarball been changed
>> and versioned as if libonig was a native package (it's not)? Also, if
>> I'm not mistaken, it doesn't look like your CVE patch is actually
>> applied when I attempt to build your package.
> Sorry my mistake. I don't see that there was no d/source/format.
> I add them, build und test the package. The patch is now applied.
> The package is uploaded again.
Looks good, uploaded. Thanks for preparing the upload!
>> Have you updated dla-needed.txt, obtained a DLA id and prepared an
>> announcement for debian-lts-announce, as described in ?
> No, I have no rights to do it. But I have yesterday ask Raphael Hertzog
> and the LTS-Team to do it.
Ok, sounds good.