Bug#840546: CVE-2016-7966 kdepimlibs jessie
Hi Sandro,
On Fri, Oct 14, 2016 at 10:56:00PM +0200, Sandro Knauß wrote:
> Hi,
>
> now I'm fully confused - you said on IRC, I should better create a deb8u2
> ontop. Well I created now the debdiff for a deb8u2.
>
> So you can decide what is the best way for the sec team and what version
> should be uploaded where.
Sorry then if some confusion was present. I looked at the debdiff you
sent previously and it was a +deb8u1 with all changes. That would not
have worked, since +deb8u1 is now already on security master and been
rejected by dak.
> diff -Nru kdepimlibs-4.14.2/debian/changelog kdepimlibs-4.14.2/debian/changelog
> --- kdepimlibs-4.14.2/debian/changelog 2016-10-12 18:20:26.000000000 +0200
> +++ kdepimlibs-4.14.2/debian/changelog 2016-10-14 21:33:53.000000000 +0200
> @@ -1,3 +1,14 @@
> +kdepimlibs (4:4.14.2-2+deb8u2) jessie-security; urgency=high
> +
> + * Team upload.
> + * Additional patch to complete the fix for CVE-2016-7966
> + - Replace all scary charactars (", <, > and &) with safe HTML
> + replacements.
> + - Backport commit kcoreaddons 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a
> + in debian/patches/CVE-2016-7966_part2.diff
> +
> + -- Sandro Knauß <hefee@debian.org> Fri, 14 Oct 2016 21:33:53 +0200
> +
Thanks, that is exactly what I meant. Create a +deb8u2 with your
additional needed fixes on top of the deb8u1 previously already
uploaded by Scott.
It's perfect now as you attached above.
I will now no furhter interfere, since Moritz will take care of the
DSA.
Regards,
Salvatore
Reply to: