openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds

To: debian-release@lists.debian.org
Cc: Loic Dachary <loic@dachary.org>, "Manuel A. Fernandez Montecelo" <manuel.montezelo@gmail.com>
Subject: openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds
From: Alberto Luaces <aluaces@udc.es>
Date: Sun, 07 Nov 2010 11:55:28 +0100
Message-id: <[🔎] 87mxplbdsp.fsf@gmail.com>

Hello,

recently a bug has been reported for the lenny version of the
openscenegraph 2.4.0-1.1 source package, based upon the fact that this
package includes an embedded, vulnerable copy of the lib3ds library:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601181

The security team said that our proposed update did not warrant a
security update, and that we should make a stable release instead.

The Debian Developers of this package and me have now available a new
version of the package which removes the embedded copy and makes the
compilation process link the generated libraries against Debian system's
lib3ds version. I'm attaching the diff in this mail for you to
inspect. I wonder if the `high' priority that I have given to this
release is fine or not.

The testing and unstable versions are fine at the moment, since they
embed an unaffected release of lib3ds.

Thanks,

Alberto

Attachment: openscenegraph_2.4.0-2+lenny1.diff.gz
Description: Binary data

Reply to:

Follow-Ups:
- Re: openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Re: openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Re: SOAP::Lite: enquiry about freeze exception
Next by Date: Re: (future unblock) RFS: mobile-broadband-provider-info (updated package)
Previous by thread: Re: RM: zookeeper/testing -- ROM; not good enough for Debian stable
Next by thread: Re: openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds
Index(es):
- Date
- Thread