On Sun, Oct 05, 2008 at 01:23:42AM +0200, Marc 'HE' Brockschmidt wrote: > > Although this is a new upstream version, their are various important > > changes (including fixes for and related to grave bugs) in the package > > since 1:7.1.314-3 and relatively few non-bug fix changes in the upstream > > release. Full dpkg-parsechangelog of new versions below. > > > > people.d.o has the diffs for the source[0] > [...] > > [0] http://people.debian.org/~jamessan/tmp/vim.diff.gz > > 74 files changed, 2838 insertions(+), 1532 deletions(-) > > Rejected. This is in no way suitable for a freeze exception. #500381 > will need a tpu upload. I've prepared a candidate for tpu upload[0] to fix the issues which I think should be fixed for Lenny. Source diff[1], runtime diff[2], and full debdiff[3] are available. [0] - dget http://people.debian.org/~jamessan/tmp/vim_7.1.314-3+lenny1.dsc [1] - http://people.debian.org/~jamessan/tmp/vim_7.1.314-3+lenny1-src.debdiff.gz [2] - http://people.debian.org/~jamessan/tmp/vim_7.1.314-3+lenny1-runtime.debdiff.gz [3] - http://people.debian.org/~jamessan/tmp/vim_7.1.314-3+lenny1.debdiff.gz Source: vim Version: 1:7.1.314-3+lenny1 Distribution: testing-proposed-updates Urgency: low Maintainer: James Vega <jamessan@debian.org> Date: Sat, 11 Oct 2008 03:01:50 -0400 Closes: 384635 456897 486502 492450 492519 499451 500381 Changes: vim (1:7.1.314-3+lenny1) testing-proposed-updates; urgency=low . * Cherry-pick patches from upstream to address filename escaping vulnerabilities - 7.2a.013 shellescape() does not escape "%" and "#" characters - 7.2b.005 shellescape() doesn't take care of "!" and "\n" - 7.2b.018 cmdline completion on shell cmd fails on file containing '!' - 7.2b.026 GTK 2 file chooser causes significant slowdown (Closes: #456897, #384635) - 7.2c.002 fnameescape() doesn't handle a leading '+' or '>' - 7.2.010 "K" in Visual mode does not properly escape all characters (CVE 2008-4101, Closes: #500381) + src/normal.c: Only use the word under the cursor, instead of the entire line after the cursor, when constructing the shell command to run. * Update runtime files affected by filename escape vulnerabilities. (CVE 2008-2712, Closes: #486502) * src/spell.c: Stop reading when EOF is reached to avoid allocing large amounts of memory. * src/main.c: After further discussion with upstream, revert behavior of -N/-C causing (no)compatible to be set after all startup files/plugins are sourced, c.f. #438560. * debian/control: vim-runtime Depends on dpkg >= 1.14.20 for sane dpkg-divert behavior * debian.vim: Do not enable 'autoindent' and filetype plugins by default. * Add NEWS item for change in default configuration. * runtime/autoload/netrw.vim: Fix deletion of incorrect file in wide display listing. Using Jan Minář's patch from the vim-dev list. (Closes: #492519) * Improve handling of transition from vim-runtime Replacing vim-tiny to using diversions to manage their conflicting files. (Closes: #492450) * Add vim-runtime.preinst to handle moving /etc/vim/vimrc.tiny from vim-common to vim-tiny. (Closes: #499451) -- James GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan@debian.org>
Attachment:
signature.asc
Description: Digital signature