Bug#650542: pu: package mojarra/2.0.3-1
On Wed, Nov 30, 2011 at 08:15:31PM +0000, Adam D. Barratt wrote:
> On Wed, 2011-11-30 at 14:22 -0430, Miguel Landaeta wrote:
> > I have prepared an upload to fix #650430 / CVE-2011-4358.
> >
> > This bug affects mojarra 2.0.3-1 in stable.
>
> Thanks for working on this.
>
> > I'm attaching the debdiff with the backported patch that fix
> > this issue and the updated package meant for squeeze.
>
> It's not exactly a minimal patch - admittedly we've seen worse. :) I'm
> guessing that the .properties changes and the pulling in of logging code
> are part of the upstream patch, although I'm not really sure how they
> contribute to fixing the bug. Maybe I'm just getting cynical in my old
> age. :)
>
> > I plan to do an urgent upload to unstable before the weekend.
>
> It might be obvious and predictable, but for the record - the unstable
> upload needs to happen before stable. Preferably unstable wants to be
> fixed for a few days at least, in order to verify that no obvious
> regressions occur.
>
> > A patch and a link to a PoC can be found in the body of #650430 report.
>
> Have the security team confirmed that they don't wish to handle this via
> a DSA? I couldn't see any thing in the bug report or the security
> tracker which mentions not doing so.
No, this should be fixed through stable-security.
Miguel, please upload to stable-security as outlined here:
http://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security-building
You need to build with "-sa", since mojarra is new in stable-security.
Cheers,
Moritz
Reply to: