Bug#827111: jessie-pu: package exim4/4.84.2-2
Hi Adam,
On Mon, Jul 25, 2016 at 06:54:08PM +0100, Adam D. Barratt wrote:
> [CC += team@security]
>
> On Mon, 2016-07-25 at 19:35 +0200, Andreas Metzler wrote:
> > now we have 4.84.2-1+deb8u1 in stable security and 4.84.2-2 in spu would
> > overwrite it at the next stable release. How do I fix this properly?
>
> :-(
>
> The DSA claims -2+deb8u1 was released, but that's clearly incorrect.
yes, please take apologies on that error on our end.
> > a) Redo 4.84.2-2 with 4.84.2-1+deb8u1 merged in
>
> Packages in p-u have been built on buildds, are already on mirrors and
> may be on users' systems, so this is a no-go
>
> > b) Release 4.84.2-3 with 4.84.2-1+deb8u1 merged in
>
> Could we have a debdiff of that option, just to check that we're on the
> same page as to exactly what that means, please?
Since we claimed 4.84.2-2+deb8u1 in the DSA, would it help if we just
redo the update, push the packages? (without further announce, since
that was the claimed version)?
Attached how that would look like with debdiff against 4.84.2-2.
Regards,
Salvatore
diff -Nru exim4-4.84.2/debian/changelog exim4-4.84.2/debian/changelog
--- exim4-4.84.2/debian/changelog 2016-06-13 19:33:16.000000000 +0200
+++ exim4-4.84.2/debian/changelog 2016-07-25 20:11:49.000000000 +0200
@@ -1,3 +1,12 @@
+exim4 (4.84.2-2+deb8u1) jessie-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+
+ [ Dominic Hargreaves ]
+ * eximstats: Remove . from @INC [CVE-2016-1238]
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Mon, 25 Jul 2016 20:10:44 +0200
+
exim4 (4.84.2-2) jessie; urgency=medium
* 90_Cutthrough-Fix-bug-with-dot-only-line.patch: JH/38 Fix cutthrough bug
diff -Nru exim4-4.84.2/debian/patches/92_CVE-2016-1238.diff exim4-4.84.2/debian/patches/92_CVE-2016-1238.diff
--- exim4-4.84.2/debian/patches/92_CVE-2016-1238.diff 1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.84.2/debian/patches/92_CVE-2016-1238.diff 2016-07-25 20:11:49.000000000 +0200
@@ -0,0 +1,11 @@
+--- a/src/eximstats.src 2016-07-24 22:29:53.000000000 +0100
++++ b/src/eximstats.src 2016-07-24 22:33:49.763365395 +0100
+@@ -550,6 +550,8 @@
+
+ =cut
+
++BEGIN { pop @INC if $INC[-1] eq '.' }
++
+ use integer;
+ use strict;
+ use IO::File;
diff -Nru exim4-4.84.2/debian/patches/series exim4-4.84.2/debian/patches/series
--- exim4-4.84.2/debian/patches/series 2016-06-12 13:36:50.000000000 +0200
+++ exim4-4.84.2/debian/patches/series 2016-07-25 20:11:49.000000000 +0200
@@ -21,3 +21,4 @@
89_02_Store-the-initial-working-directory.diff
90_Cutthrough-Fix-bug-with-dot-only-line.patch
91_Expansions-Fix-crash-in-crypteq-On-OpenBSD-a-bad-sec.patch
+92_CVE-2016-1238.diff
Reply to: