Hi, On Mon, Jan 04, 2016 at 07:08:41PM +0100, Salvatore Bonaccorso wrote: > Package: release.debian.org > Severity: normal > Tags: jessie > User: release.debian.org@packages.debian.org > Usertags: pu > > Hi Stable Release managers, > > yubiserver in jessie is affected by: > > CVE-2015-0842: SQL injection issues (potential auth bypass) > CVE-2015-0843: Buffer overflows due to misuse of sprintf > > which got fixed in unstable by the 0.6-1 upload. These do not warrant > a DSA but it would be nice to have it fixed in stable as well. I have > extracted the diff for 0.5-2, but basically 0.6-1 is the release > fixing the two CVEs. > > I would suggest to just release 0.6-1~deb8u1 beeing a rebuild of 0.6-1 > for jessie if you agree, otherwise the debdiff with only the needed > changes is attached. > > A rebuild of 0.6-1 for jessie would additionally fix > > yubiserver (0.5-3) unstable; urgency=medium > . > * Handle -l switch correctly. Thanks to Clemens Lang > for the bug report (Closes: Bug#781552). > * Remove unowned directory after purge. Thanks to Andreas Beckmann for > the bug report (Closes: Bug#770535). > > Is any of those fine with you? This didn't made it to the debian-release list, resending it with compressed debdiffs. Regards, Salvatore
Attachment:
yubiserver_0.5-2+deb8u1.debdiff.xz
Description: application/xz
Attachment:
yubiserver_0.6-1~deb8u1.debdiff.xz
Description: application/xz