Re: jessie-pu: package libiberty/20161017-1+deb8u1
On Mon, 2016-10-17 at 21:25 +0200, Anton Gladky wrote:
> libiberty needs to be updated in Jessie, because the newer version
> fixes many security issues:
Please file this as an appropriately-tagged bug against
release.debian.org; mails to the list have a tendency to get lost.
> CVE-2016-4487 CVE-2016-4488 CVE-2016-4489 CVE-2016-4490
> CVE-2016-4492 CVE-2016-4493 CVE-2016-2226 CVE-2016-6131
> Also libiberty is statically linked against "ht" which is also
> should be updated in order to fix same CVEs, becuase ht used
> embedded copy of libiberty (#840358).
I'm slightly confused here. libiberty is statically linked against
something that embeds libiberty? That seems somewhat circular.
> Please review an attached patch (filtered).
>From a very quick look:
+libiberty (20161017-1+deb8u1) jessie-proposed-updates; urgency=medium
+libiberty (20161017-1) unstable; urgency=medium
That's broken. The upload to stable needs to have a lower version than
diff -Nru libiberty-20141014/debian/compat libiberty-20161017/debian/compat
--- libiberty-20141014/debian/compat 2013-11-16 20:38:52.000000000 +0100
+++ libiberty-20161017/debian/compat 2016-02-15 20:15:24.000000000 +0100
@@ -1 +1 @@
-Build-Depends: debhelper (>= 8.0.0), autotools-dev
+Build-Depends: debhelper (>= 9), autotools-dev
That's not an acceptable change for a stable update.
The debdiff also doesn't appear to contain any changes outside of
debian/, which makes it impossible to review.