Please allow cups 1.3.8-1lenny2 into testing (security update)

To: debian-release@lists.debian.org
Subject: Please allow cups 1.3.8-1lenny2 into testing (security update)
From: Martin Pitt <mpitt@debian.org>
Date: Sat, 11 Oct 2008 13:10:23 +0200
Message-id: <20081011111023.GF7136@piware.de>
Mail-followup-to: Martin Pitt <mpitt@debian.org>, debian-release@lists.debian.org

Hi release team,

cups 1.3.9 has been released two days ago with three security
fixes [1]. The HPGL one caused a regression [2] which I tracked down
and fixed in our packages; unfortunately upstream didn't respond to
the patch yet, but I'm very confident in it.

I backported the security fixes, applied the regression fix, and fixed a
harmless l10n bug, and uploaded to unstable:

cups (1.3.8-1lenny2) unstable; urgency=high

  * Urgency high due to security fixes.
  * debian/control: Package development moved to bzr, update Vcs- tags.
  * Add CVE-2008-3641_hpgl_filter_overflow.dpatch: Fix buffer overflow
    triggered by invalid number of pens in the HPGL filter. (CVE-2008-3641,
    STR #2911)
  * Add CVE-2008-3639_sgi_filter_overflow.dpatch: Fix buffer overflow due to
    unchecked boundary in the SGI filter. (CVE-2008-3639, STR #2918)
  * Add CVE-2008-3640_texttops_overflow.dpatch: Fix buffer overflow by
    specifying invalidly large or negative page metrics. (CVE-2008-3640,
    STR #2919)
  * Add hpgl-regression.dpatch: Revert the SP_select_pen() enumeration change
    introduced in STR #2911, because it changes the color mapping (e. g. "SP1"
    would now select a white pen instead of a black one, and "SP0" would not
    be valid at all any more). Also fix a remaining off-by-one loop. (STR
    #2966)
  * Add admin-fr-translation.dpatch: Update the French admin.tmpl, to have the
    missing "Find new printer" button and the "Subscriptions" section. Thanks
    to Yves-Alexis Perez! (Closes: #475270)

 -- Martin Pitt <mpitt@debian.org>  Sat, 11 Oct 2008 12:53:30 +0200

Please allow this into testing.

However, I'd actually like to get the full 1.3.9 into Lenny. It is
already in experimental and contains quite a few of our patches, as
well as fixes two handfuls of other bug fixes, and no new features
(see [2] for the changelog and [3] for an upstream debdiff). Would you
accept this as well? If so, I'll prepare an update and upload ASAP.

Thanks,

Martin

[1] http://www.cups.org/articles.php?L575
[2] http://www.cups.org/str.php?L2966
[3] http://launchpadlibrarian.net/18391186/cups_1.3.8-12_1.3.9-1.diff.gz

-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Please allow cups 1.3.8-1lenny2 into testing (security update)
  - From: Martin Pitt <mpitt@debian.org>
- Re: Please allow cups 1.3.8-1lenny2 into testing (security update)
  - From: Luk Claes <luk@debian.org>

Prev by Date: Please migrate 2.6.27 to the lenny release
Next by Date: Re: Please allow cups 1.3.8-1lenny2 into testing (security update)
Previous by thread: Re: Please migrate 2.6.27 to the lenny release
Next by thread: Re: Please allow cups 1.3.8-1lenny2 into testing (security update)
Index(es):
- Date
- Thread