Re: lastfm 1.5.1.31879.dfsg-1+lenny1 stable update

To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: debian-release@lists.debian.org
Subject: Re: lastfm 1.5.1.31879.dfsg-1+lenny1 stable update
From: John Stamp <jstamp@users.sourceforge.net>
Date: Tue, 16 Nov 2010 16:08:10 -0800
Message-id: <[🔎] 201011161608.10557.jstamp@users.sourceforge.net>
In-reply-to: <[🔎] 20101116221912.GA3168@galadriel.inutil.org>
References: <20101004212626.GA2531@pintsize> <[🔎] 20101101183705.GO4770@radis.liafa.jussieu.fr> <[🔎] 20101116221912.GA3168@galadriel.inutil.org>

On Tuesday, November 16, 2010 02:19:12 pm Moritz Muehlenhoff wrote:
> In gmane.linux.debian.devel.release, you wrote:
> > --wZwWzkkm73dI25u3
> > Content-Type: text/plain; charset=us-ascii
> > Content-Disposition: inline
> > Content-Transfer-Encoding: quoted-printable
> > 
> > On Mon, Oct  4, 2010 at 14:26:26 -0700, John Stamp wrote:
> >> Hello,
> >>
> >>=20
> >>
> >> Bug#598294: lastfm: CVE-2010-3362: insecure library loading also
> >> affects the version in stable.  I notified the security team, but
> >> Moritz told me that this does not warrant a DSA.  He suggested
> >> that I instead get this fixed through a stable point update.
> >>
> >>=20
> >>
> >> The proposed diff is below:
> >>=20
> >>
> >> diff --git a/debian/changelog b/debian/changelog
> >> index 857c175..dce2413 100644
> >> --- a/debian/changelog
> >> +++ b/debian/changelog
> >> @@ -1,3 +1,9 @@
> >> +lastfm (1:1.5.1.31879.dfsg-1+lenny1) stable-security;
> >> urgency=3Dhigh +
> >> +  * Fix CVE-2010-3362: insecure library loading
> >> +
> >> + -- John Stamp <jstamp@users.sourceforge.net>  Thu, 30 Sep 2010
> >> 15:39:42=
> >> 
> >  -0700
> >  
> >> +
> >> 
> >>  lastfm (1:1.5.1.31879.dfsg-1) unstable; urgency=3Dlow
> >> 
> >> =20
> >> 
> >>    * New upstream.
> >> 
> >> diff --git a/debian/lastfm.sh b/debian/lastfm.sh
> >> index 34a2487..aef3654 100644
> >> --- a/debian/lastfm.sh
> >> +++ b/debian/lastfm.sh
> >> @@ -1,5 +1,5 @@
> >> 
> >>  #!/bin/sh
> >> 
> >> =20
> >> 
> >>  RUNDIR=3D"/usr/lib/lastfm"
> >> 
> >> -export LD_LIBRARY_PATH=3D"${RUNDIR}:${LD_LIBRARY_PATH}"
> >> +export
> >> LD_LIBRARY_PATH=3D"${RUNDIR}${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
> >> "
> >> 
> >>  exec "${RUNDIR}/last.fm" "$@"
> >>
> >>=20
> >>
> >> Is this OK to upload?
> >>
> >>=20
> >>
> > The changelog should say 'stable' rather than 'stable-security'. 
> > Other than this, please go ahead.
> 
> John,
> did you see the mail? You haven't uploaded a spu update yet.
> 
> Cheers,
>         Moritz

No I didn't, but that was my fault.  It's now uploaded.

Regards,

John

Reply to:

References:
- Re: lastfm 1.5.1.31879.dfsg-1+lenny1 stable update
  - From: Julien Cristau <jcristau@debian.org>
- Re: lastfm 1.5.1.31879.dfsg-1+lenny1 stable update
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Bug#603488: unblock: debian-cd/3.1.4
Next by Date: NEW changes in proposedupdates
Previous by thread: Re: lastfm 1.5.1.31879.dfsg-1+lenny1 stable update
Next by thread: Bug#601970: Permission to upload tk8.4
Index(es):
- Date
- Thread