Hey, now I rebuilt the package with the attached debdif on a sbuild -d stretch- amd64 and tried kontact under a virtualbox. Best Regards, sandro -- On Montag, 24. Juli 2017 16:26:22 CEST Adam D. Barratt wrote: > On 2017-07-24 15:45, Sandro Knauß wrote: > > Control: tags -1 - moreinfo > > > >> We'll need to see a debdiff of the proposed package, built and tested > >> on > >> stretch, before going any further, please. > > > > The debdiff is the version, that is currently in testing. The diff was > > created > > when testing was in deep freeze, so actually the version state, that is > > now in > > stretch. The versionnumber may need to be adjusted. > > It *will* need to be adjusted. You can't re-upload with a version number > that's already been used. > > Again, what was requested was a debdiff of the actual proposed package, > not simply the result of comparing the current unstable/testing package > against stable. > > Regards, > > Adam
diff -Nru kf5-messagelib-16.04.3/debian/changelog kf5-messagelib-16.04.3/debian/changelog --- kf5-messagelib-16.04.3/debian/changelog 2016-08-02 14:07:27.000000000 +0200 +++ kf5-messagelib-16.04.3/debian/changelog 2017-06-17 09:08:12.000000000 +0200 @@ -1,3 +1,13 @@ +kf5-messagelib (4:16.04.3-3~deb9u1) stretch; urgency=high + + * Team upload. + + [ Sandro Knauß ] + * Fix CVE-2017-9604: Send Later with Delay bypasses OpenPGP (Closes: #864803) + - Added upstream patch fix-CVE-2017-9604.patch + + -- Sandro Knauß <hefee@debian.org> Sat, 17 Jun 2017 09:08:12 +0200 + kf5-messagelib (4:16.04.3-2) unstable; urgency=high [ Automatic packaging ] diff -Nru kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch --- kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch 1970-01-01 01:00:00.000000000 +0100 +++ kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch 2017-06-17 09:08:12.000000000 +0200 @@ -0,0 +1,26 @@ +From c54706e990bbd6498e7b1597ec7900bc809e8197 Mon Sep 17 00:00:00 2001 +From: Montel Laurent <montel@kde.org> +Date: Fri, 2 Jun 2017 13:56:41 +0200 +Subject: Make sure to sign/encrypt message when we send later + +(cherry picked from commit 4048f5e46d0a7d62d93d74fd2861dd70fb2ad660) +--- + messagecomposer/src/composer/composerviewbase.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/messagecomposer/src/composer/composerviewbase.cpp b/messagecomposer/src/composer/composerviewbase.cpp +index d44b8b2..672ea1e 100644 +--- a/messagecomposer/src/composer/composerviewbase.cpp ++++ b/messagecomposer/src/composer/composerviewbase.cpp +@@ -468,7 +468,7 @@ void MessageComposer::ComposerViewBase::slotEmailAddressResolved(KJob *job) + // if so, we create a composer per format + // if we aren't signing or encrypting, this just returns a single empty message + bool wasCanceled = false; +- if (m_neverEncrypt && mSaveIn != MessageComposer::MessageSender::SaveInNone) { ++ if (m_neverEncrypt && mSaveIn != MessageComposer::MessageSender::SaveInNone && !mSendLaterInfo) { + MessageComposer::Composer *composer = new MessageComposer::Composer; + composer->setNoCrypto(true); + m_composers.append(composer); +-- +cgit v0.11.2 + diff -Nru kf5-messagelib-16.04.3/debian/patches/series kf5-messagelib-16.04.3/debian/patches/series --- kf5-messagelib-16.04.3/debian/patches/series 2016-08-02 14:07:27.000000000 +0200 +++ kf5-messagelib-16.04.3/debian/patches/series 2017-06-17 09:08:12.000000000 +0200 @@ -1,2 +1,3 @@ upstream_add_copying_files.patch make-it-impossible-to-override-css-settings-from-a-h.patch +fix-CVE-2017-9604.patch
Attachment:
signature.asc
Description: This is a digitally signed message part.