Re: openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds

To: Alberto Luaces <aluaces@udc.es>
Cc: debian-release@lists.debian.org
Subject: Re: openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Sun, 7 Nov 2010 17:41:52 +0100
Message-id: <[🔎] 20101107164152.GA4362@galadriel.inutil.org>
In-reply-to: <[🔎] 87mxplbdsp.fsf@gmail.com>
References: <[🔎] 87mxplbdsp.fsf@gmail.com>

In gmane.linux.debian.devel.release, you wrote:
> --=-=-=
>
> Hello,
>
> recently a bug has been reported for the lenny version of the
> openscenegraph 2.4.0-1.1 source package, based upon the fact that this
> package includes an embedded, vulnerable copy of the lib3ds library:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601181
>
> The security team said that our proposed update did not warrant a
> security update, and that we should make a stable release instead.
>
> The Debian Developers of this package and me have now available a new
> version of the package which removes the embedded copy and makes the
> compilation process link the generated libraries against Debian system's
> lib3ds version. I'm attaching the diff in this mail for you to
> inspect. I wonder if the `high' priority that I have given to this
> release is fine or not.

That wouldn't buy us much, since lib3ds isn't fixed in Lenny yet, it
would need to be updated along.

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds
  - From: Alberto Luaces <aluaces@udc.es>

References:
- openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds
  - From: Alberto Luaces <aluaces@udc.es>

Prev by Date: Re: Permission to upload xserver-xorg-video-intel 2:2.13.0-2
Next by Date: Gajim 0.13.4-3
Previous by thread: Re: openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds
Next by thread: Re: openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds
Index(es):
- Date
- Thread