Hi Hugh, On So 17 Mai 2020 10:30:30 CEST, Hugh McMaster wrote:
Hi Mike and LTS team, On Thu, 14 May 2020 at 15:42, Mike Gabriel wrote:The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of libexif: https://security-tracker.debian.org/tracker/CVE-2020-12767 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not.I currently maintain libexif but am not a DD, so I can't upload the binary packages as per your workflow. I've prepared a debdiff covering all outstanding CVEs and two instances of undefined behaviour. Internal tests pass at build time. The patches are the same as those used in Sid, as the upstream version has not changed. Hope this helps. Please let me know if you need anything else. Feel free to adjust the changelog. Hugh
I just reviewed your .debdiff. Thanks for the backporting of all those CVEs.I see that libexif in stretch and buster require uploads to. As the issues have been marked <no-dsa> for stretch and buster, the security updates have to be uploaded as (old)stable release updates (SRUs).
I can easily forward port your .debdiff or you send me .debdiffs that match against libexif in stretch + buster. What approach do you prefer. I am happy to sponsor your uploads to stretch and buster.
Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunweaver@debian.org, http://sunweavers.net
Attachment:
pgpufoBmpzYrK.pgp
Description: Digitale PGP-Signatur