Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1

To: Mattias Ellert <mattias.ellert@physics.uu.se>, 872441@bugs.debian.org
Subject: Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
From: Jonathan Wiltshire <jmw@debian.org>
Date: Sat, 23 Sep 2017 18:24:49 +0100
Message-id: <[🔎] 20170923172449.gmuyqg6qy4e54f2r@powdarrmonkey.net>
Reply-to: Jonathan Wiltshire <jmw@debian.org>, 872441@bugs.debian.org
In-reply-to: <1503048909.18700.18.camel@physics.uu.se>
References: <1502980716.2609.20.camel@physics.uu.se> <1502980716.2609.20.camel@physics.uu.se> <20170817182205.hwxwweeut7z6ujct@ftbfs.de> <1503003592.16131.7.camel@adam-barratt.org.uk> <1503039664.18700.5.camel@physics.uu.se> <15a0d77d62107f581d5fcc9381d16b65@mail.adam-barratt.org.uk> <1502980716.2609.20.camel@physics.uu.se> <1503048909.18700.18.camel@physics.uu.se> <1502980716.2609.20.camel@physics.uu.se>

Control: tag -1 confirmed

On Fri, Aug 18, 2017 at 11:35:09AM +0200, Mattias Ellert wrote:
> fre 2017-08-18 klockan 08:46 +0100 skrev Adam D. Barratt:
> > On 2017-08-18 8:01, Mattias Ellert wrote:
> > > tor 2017-08-17 klockan 21:59 +0100 skrev Adam D. Barratt:
> > > > On Thu, 2017-08-17 at 20:22 +0200, Martin Zobel-Helas wrote:
> > > > > Hi,
> > > > > 
> > > > > On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote:
> > > > 
> > > > [...]
> > > > > > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
> > > > > > +
> > > > > > +  * Fix for CVE-2017-9765 (Closes: xxxx)
> > 
> > [...]
> > > > Is there actually a Debian bug for the issue? I couldn't find one.

I've been trying to unpick exactly whether this issue is fixed in unstable
or not. I can only assume so since the security tracker claims it so
(https://security-tracker.debian.org/tracker/CVE-2017-9765) but your
changelog for 2.8.49-1 doesn't mention the CVE. I presume the CVE wasn't
yet public before you fixed it?

This is why a tracking bug against the package, even after the event,
is helpful when someone who has no other connection with the package gets a
request to look into it.

(Incidentally the fixed versions on #859932 confused me until I realised
that you're including previous uploads in your changes every time you
upload. You really needn't do that, it just ends up generating lies in the
version tracking.)

> diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog
> --- gsoap-2.8.35/debian/changelog	2016-12-06 09:32:36.000000000 +0100
> +++ gsoap-2.8.35/debian/changelog	2017-08-16 11:58:11.000000000 +0200
> @@ -1,3 +1,9 @@
> +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
> +
> +  * Fix for CVE-2017-9765
> +
> + -- Mattias Ellert <mattias.ellert@physics.uu.se>  Wed, 16 Aug 2017 11:58:11 +0200

Please go ahead, but a little more detail in your changelog (what is
CVE-2017-9765 and what changed to fix it?) is always appreciated.

Thanks,

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Reply to:

Follow-Ups:
- Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#876020: stretch-pu: package libwpd/0.10.1-5+deb9u1
Next by Date: Processed: Re: Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
Previous by thread: Processed: tagging 875994
Next by thread: Processed: Re: Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
Index(es):
- Date
- Thread