Your message dated Sat, 23 Jun 2018 12:32:13 +0100 with message-id <1529753533.11744.69.camel@adam-barratt.org.uk> and subject line Closing bugs for requests included in the EoL jessie point release has caused the Debian Bug report #901276, regarding jessie-pu: package lame/3.99.5+repack1-7+deb8u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 901276: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901276 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: jessie-pu: package lame/3.99.5+repack1-7+deb8u2
- From: Hugo Lefeuvre <hle@debian.org>
- Date: Sun, 10 Jun 2018 14:59:49 -0400
- Message-id: <[🔎] 20180610185949.GB1968@hle-laptop.local>
Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hi, lame 3.99.5+repack1-7+deb8u1 is affected by several vulnerabilities in the code used to read the input file. These issues are not present in any Debian release after Jessie because the package switched to libsndfile to read and write audio files. The upstream code itself was recently fixed in 3.100. Following advices from lame's upstream and from lame's maintainer I proposed the attached patch. In this patch we modify the Jessie package to use libsndfile instead of the internal code. The security team considers these issues not worth a DSA but recommended me to submit this patch as jessie-pu. You can find more detailed information about this patch on the debian-lts ML[0]. Thanks ! Regards, Hugo [0] https://lists.debian.org/debian-lts/2018/05/msg00081.html -- Hugo Lefeuvre (hle) | www.owl.eu.com 4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACAdiff -Nru lame-3.99.5+repack1/debian/changelog lame-3.99.5+repack1/debian/changelog --- lame-3.99.5+repack1/debian/changelog 2015-06-15 09:05:28.000000000 -0400 +++ lame-3.99.5+repack1/debian/changelog 2018-05-27 17:30:02.000000000 -0400 @@ -1,3 +1,16 @@ +lame (3.99.5+repack1-7+deb8u2) oldstable; urgency=high + + [ Fabian Greffrath ] + + * Build the frontend with the sndfile io routines, RAW PCM and WAV can be + read from stdin since at least 3.99.0 (Closes: #867725). + - Add Build-Depends: libsndfile1-dev. + + Addressed CVEs: CVE-2017-9872, CVE-2017-9871, CVE-2017-9870, CVE-2017-9869, + CVE-2017-15046, CVE-2017-15045, CVE-2017-15018. + + -- Hugo Lefeuvre <hle@debian.org> Sun, 27 May 2018 17:30:02 -0400 + lame (3.99.5+repack1-7+deb8u1) jessie; urgency=medium * debian/patches/force_align_arg_pointer.patch: Enable functions with SSE diff -Nru lame-3.99.5+repack1/debian/control lame-3.99.5+repack1/debian/control --- lame-3.99.5+repack1/debian/control 2015-06-15 09:03:04.000000000 -0400 +++ lame-3.99.5+repack1/debian/control 2018-05-27 17:16:42.000000000 -0400 @@ -9,6 +9,7 @@ debhelper (>= 9), dh-autoreconf, libncurses5-dev, + libsndfile1-dev, pkg-config, nasm [i386] Standards-Version: 3.9.5 diff -Nru lame-3.99.5+repack1/debian/rules lame-3.99.5+repack1/debian/rules --- lame-3.99.5+repack1/debian/rules 2015-06-15 09:03:04.000000000 -0400 +++ lame-3.99.5+repack1/debian/rules 2018-05-27 17:16:42.000000000 -0400 @@ -9,4 +9,4 @@ --enable-dynamic-frontends \ --enable-expopt=full \ --enable-nasm \ - --with-fileio=lame + --with-fileio=sndfileAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 831459-done@bugs.debian.org, 837458-done@bugs.debian.org, 862030-done@bugs.debian.org, 876944-done@bugs.debian.org, 879161-done@bugs.debian.org, 885533-done@bugs.debian.org, 885584-done@bugs.debian.org, 885619-done@bugs.debian.org, 887047-done@bugs.debian.org, 887138-done@bugs.debian.org, 887559-done@bugs.debian.org, 887857-done@bugs.debian.org, 888019-done@bugs.debian.org, 888553-done@bugs.debian.org, 888767-done@bugs.debian.org, 891611-done@bugs.debian.org, 891974-done@bugs.debian.org, 893507-done@bugs.debian.org, 893804-done@bugs.debian.org, 893970-done@bugs.debian.org, 895144-done@bugs.debian.org, 895887-done@bugs.debian.org, 895935-done@bugs.debian.org, 896841-done@bugs.debian.org, 896919-done@bugs.debian.org, 896942-done@bugs.debian.org, 897369-done@bugs.debian.org, 897447-done@bugs.debian.org, 897911-done@bugs.debian.org, 899018-done@bugs.debian.org, 899030-done@bugs.debian.org, 901194-done@bugs.debian.org, 901276-done@bugs.debian.org, 901425-done@bugs.debian.org, 901613-done@bugs.debian.org, 901645-done@bugs.debian.org
- Subject: Closing bugs for requests included in the EoL jessie point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 23 Jun 2018 12:32:13 +0100
- Message-id: <1529753533.11744.69.camel@adam-barratt.org.uk>
Version: 8.11 Hi, The updates referenced by these bugs were included in today's EoL point release for jessie (8.11). Regards, Adam
--- End Message ---