Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
- To: Mattias Ellert <mattias.ellert@physics.uu.se>, 872441@bugs.debian.org
- Subject: Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
- From: Jonathan Wiltshire <jmw@debian.org>
- Date: Sat, 23 Sep 2017 18:24:49 +0100
- Message-id: <[🔎] 20170923172449.gmuyqg6qy4e54f2r@powdarrmonkey.net>
- Reply-to: Jonathan Wiltshire <jmw@debian.org>, 872441@bugs.debian.org
- In-reply-to: <1503048909.18700.18.camel@physics.uu.se>
- References: <1502980716.2609.20.camel@physics.uu.se> <1502980716.2609.20.camel@physics.uu.se> <20170817182205.hwxwweeut7z6ujct@ftbfs.de> <1503003592.16131.7.camel@adam-barratt.org.uk> <1503039664.18700.5.camel@physics.uu.se> <15a0d77d62107f581d5fcc9381d16b65@mail.adam-barratt.org.uk> <1502980716.2609.20.camel@physics.uu.se> <1503048909.18700.18.camel@physics.uu.se> <1502980716.2609.20.camel@physics.uu.se>
Control: tag -1 confirmed
On Fri, Aug 18, 2017 at 11:35:09AM +0200, Mattias Ellert wrote:
> fre 2017-08-18 klockan 08:46 +0100 skrev Adam D. Barratt:
> > On 2017-08-18 8:01, Mattias Ellert wrote:
> > > tor 2017-08-17 klockan 21:59 +0100 skrev Adam D. Barratt:
> > > > On Thu, 2017-08-17 at 20:22 +0200, Martin Zobel-Helas wrote:
> > > > > Hi,
> > > > >
> > > > > On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote:
> > > >
> > > > [...]
> > > > > > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
> > > > > > +
> > > > > > + * Fix for CVE-2017-9765 (Closes: xxxx)
> >
> > [...]
> > > > Is there actually a Debian bug for the issue? I couldn't find one.
I've been trying to unpick exactly whether this issue is fixed in unstable
or not. I can only assume so since the security tracker claims it so
(https://security-tracker.debian.org/tracker/CVE-2017-9765) but your
changelog for 2.8.49-1 doesn't mention the CVE. I presume the CVE wasn't
yet public before you fixed it?
This is why a tracking bug against the package, even after the event,
is helpful when someone who has no other connection with the package gets a
request to look into it.
(Incidentally the fixed versions on #859932 confused me until I realised
that you're including previous uploads in your changes every time you
upload. You really needn't do that, it just ends up generating lies in the
version tracking.)
> diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog
> --- gsoap-2.8.35/debian/changelog 2016-12-06 09:32:36.000000000 +0100
> +++ gsoap-2.8.35/debian/changelog 2017-08-16 11:58:11.000000000 +0200
> @@ -1,3 +1,9 @@
> +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
> +
> + * Fix for CVE-2017-9765
> +
> + -- Mattias Ellert <mattias.ellert@physics.uu.se> Wed, 16 Aug 2017 11:58:11 +0200
Please go ahead, but a little more detail in your changelog (what is
CVE-2017-9765 and what changed to fix it?) is always appreciated.
Thanks,
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Reply to: