On 2016-10-25 14:32, Andrew Shadura wrote:
On 25/10/16 15:31, Adam D. Barratt wrote:Control: tags -1 + confirmed On 2016-10-25 10:10, Andrew Shadura wrote:I have prepared an upload fixing CVE-2016-8694, CVE-2016-8695, CVE-2016-8696, CVE-2016-8697, CVE-2016-8698, CVE-2016-8699, CVE-2016-8700, CVE-2016-8701, CVE-2016-8702, CVE-2016-8703. Please find the attached debdiff.I assume "CVE-2016-8694.patch" actually fixes all of the listed CVEs? Ifso, and assuming that the resulting package has been tested on stable, please go ahead.Yes, it does.
Unfortunately it appears that the uploaded package was not built in a (purely) jessie environment, so I'm afraid that I've had to mark it to be rejected.
Automated binary debdiffs show: <quote>Warning: these package names were in the second list but not in the first:
-------------------------------------------------------------------------- libpotrace0-dbgsym potrace-dbgsym ... Files only in first set of .debs, found in package libpotrace0 -------------------------------------------------------------- -rwxr-xr-x root/root DEBIAN/postinst -rwxr-xr-x root/root DEBIAN/postrm New files in second set of .debs, found in package libpotrace0 -------------------------------------------------------------- -rw-r--r-- root/root DEBIAN/triggers </quote>Those changes won't happen if jessie's debhelper was used for the build. (The fact that dak didn't reject the package itself is a known issue with the *-debug suite checks.)
Regards, Adam