Antoine Beaupré wrote: > I'm now more confident the patchset is complete. There are one tiny bit > I'm still slightly unsure of. In Command.Reinject.perform, there was a > `boolSystem "mv"` call lying around that was turned into a `moveFile` > some time between the jessie version and 2fb3722ce. I figured this was > the last instance of such an "mv" call and that moveFile does what it's > supposed to do in the jessie version. So to avoid any compiler mishaps, > I figured I would just use moveFile there but I'm not certain of the > implications. I don't think this change was strictly necessary, but I do think it's correct. > I'm also wondering if there are reproducers for those vulnerabilities so > that I can test the new packages to see if they actually fix the > problems. No, I don't have any. You can test downloads from localhost and non-http url schemes to make sure they're blocked. > So I've uploaded the test packages to my repository again: > > https://people.debian.org/~anarcat/debian/jessie-lts/ > > This time, testing would be greatly appreciated. And of course, a review > of the patchset would be great as well. I've looked over the patchset and nothing stands out to me as a problem, but it is of course a big patchset against a very old version so it would be easy to miss something. -- see shy jo
Attachment:
signature.asc
Description: PGP signature