Re: libonig/5.9.1-1+deb7u1 (CVE-2017-922[4-9])
Hi Jörg,
On Fri, May 26, 2017 at 12:04 AM, Jörg Frings-Fürst
<debian@jff-webhosting.net> wrote:
> Hi Vincent,
>
>
> first thanks for your review.
>
> Am Donnerstag, den 25.05.2017, 22:50 -0700 schrieb Vincent Cheng:
>> Hi Jörg,
>>
>> On Thu, May 25, 2017 at 1:23 PM, Jörg Frings-Fürst
>> <debian@jff-webhosting.net> wrote:
>> > Hello Vincent,
>> >
>> > I have a bugfix release ready for a review.
>> >
>> > My changes:
>> >
>> > libonig (5.9.1-1+deb7u1) wheezy-security; urgency=high
>> >
>> > * New debian/patches/0500-CVE-2017-922[4-9].patch:
>> > - Cherrypicked from upstream to correct:
>> > + CVE-2017-9224 (Closes: #863312)
>> > + CVE-2017-9226 (Closes: #863314)
>> > + CVE-2017-9227 (Closes: #863315)
>> > + CVE-2017-9228 (Closes: #863316)
>> > + CVE-2017-9229 (Closes: #863318)
>> > * debian/control:
>> > - Add myself as maintainer.
>> >
>> > Build with pdebuild are ok. The test with the newest lintian has a lot
>> > of warnings.
>> >
>> > The package is uploaded to mentors[1]. The debdiff is attached.
>> >
>> > Please can you review it?
>>
>> In your upload to mentors.d.n, why has the source tarball been changed
>> and versioned as if libonig was a native package (it's not)? Also, if
>> I'm not mistaken, it doesn't look like your CVE patch is actually
>> applied when I attempt to build your package.
>>
>
> Sorry my mistake. I don't see that there was no d/source/format.
>
> I add them, build und test the package. The patch is now applied.
>
> The package is uploaded again[1].
Looks good, uploaded. Thanks for preparing the upload!
>> Have you updated dla-needed.txt, obtained a DLA id and prepared an
>> announcement for debian-lts-announce, as described in [1]?
>>
> No, I have no rights to do it. But I have yesterday ask Raphael Hertzog
> and the LTS-Team to do it.
Ok, sounds good.
Regards,
Vincent
Reply to: