[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: jessie-pu: package libiberty/20161017-1+deb8u1

On Mon, 2016-10-17 at 21:25 +0200, Anton Gladky wrote:
> libiberty needs to be updated in Jessie, because the newer version
> fixes many security issues:

Please file this as an appropriately-tagged bug against
release.debian.org; mails to the list have a tendency to get lost.

> CVE-2016-4487 CVE-2016-4488 CVE-2016-4489 CVE-2016-4490
> CVE-2016-4492 CVE-2016-4493 CVE-2016-2226 CVE-2016-6131
> Also libiberty is statically linked against "ht" which is also
> should be updated in order to fix same CVEs, becuase ht used
> embedded copy of libiberty (#840358).

I'm slightly confused here. libiberty is statically linked against
something that embeds libiberty? That seems somewhat circular.

> Please review an attached patch (filtered).

>From a very quick look:

+libiberty (20161017-1+deb8u1) jessie-proposed-updates; urgency=medium
+libiberty (20161017-1) unstable; urgency=medium

That's broken. The upload to stable needs to have a lower version than

diff -Nru libiberty-20141014/debian/compat libiberty-20161017/debian/compat
--- libiberty-20141014/debian/compat    2013-11-16 20:38:52.000000000 +0100
+++ libiberty-20161017/debian/compat    2016-02-15 20:15:24.000000000 +0100
@@ -1 +1 @@
-Build-Depends: debhelper (>= 8.0.0), autotools-dev
-Standards-Version: 3.9.6
+Build-Depends: debhelper (>= 9), autotools-dev

That's not an acceptable change for a stable update.

The debdiff also doesn't appear to contain any changes outside of
debian/, which makes it impossible to review.



Reply to: