Bug#920804: release.debian.org: security upload for r-cran-readxl

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: Dirk Eddelbuettel <edd@debian.org>, Moritz Mühlenhoff <jmm@inutil.org>, 920804@bugs.debian.org
Subject: Bug#920804: release.debian.org: security upload for r-cran-readxl
From: Dirk Eddelbuettel <edd@debian.org>
Date: Wed, 30 Jan 2019 07:39:15 -0600
Message-id: <[🔎] 23633.43267.306960.766788@rob.eddelbuettel.com>
Reply-to: Dirk Eddelbuettel <edd@debian.org>, 920804@bugs.debian.org
In-reply-to: <[🔎] 26f71a46adb863b39758bfb0a2215355@mail.adam-barratt.org.uk>
References: <[🔎] 154876281565.12618.9075228362384425140.reportbug@rob.eddelbuettel.com> <[🔎] 26f71a46adb863b39758bfb0a2215355@mail.adam-barratt.org.uk> <[🔎] 154876281565.12618.9075228362384425140.reportbug@rob.eddelbuettel.com>

On 30 January 2019 at 13:11, Adam D. Barratt wrote:
| On 2019-01-29 11:53, Dirk Eddelbuettel wrote:
| > This is a follow-up to the discussion in #919324 and subsequent emails 
| > with
| > Moritz and Salvatore. The two CVEs are genuine and fixed, the issue 
| > however
| > is no a full-blown denial-of-service etc so Moritz suggested a normal
| > security upload.
| > 
| > The debdiff is included below, with the distribution changed from
| > stretch-security to just stretch.
| > 
| > Happy to upload once you give a green light.  (System information 
| > remove as I
| > type this on Ubuntu 18.10 ...)
| 
| Apparently it was already uploaded.
| 
|    patches/updated-upstream-changes | 2699 
| +++++++++++++++++++++++++++++++++++++++

To unstable, yes - as 1.2.9000-1. But Moritz asked me to also upload to
stretch. See https://packages.debian.org/search?keywords=r-cran-readxl
 
| Aside from being big enough to be non-trivial to review, the filename of 
| that patch isn't ideal. If there are other upstream changes that need 
| incorporating in future, are you simply planning on appending to that 
| patch, rather than having separate patches for specific purposes?

This is Debian packaging of the CRAN package readxl. It's current upstream
version is in better shape.

I "have to" run this fix as CVE had been issued. As Moritz (now CCed)
suggested that this doesn't need a full blown security upload (no DOS here,
just plain segfaults in R when libxls loaded) we went this route.
 
| I noticed that your changelog includes a Closes: for this bug. Please 
| don't do that. Bugs against release.d.o for stable updates get closed by 
| us once the package is actually in stable (i.e. after a point release 
| which includes the update has been released); uploading the package is 
| some way from the end of the process of the fix being available for end 
| users.

Sorry my bad. I don't security uploads to stable often and am not as smooth
as I could be for lack of practice.

Is there anything you need correcting so badly that we need a new upload from
me?  If so can you spell out please in clear detail what needs changing.

Many thanks, Dirk
 
| Regards,
| 
| Adam

-- 
http://dirk.eddelbuettel.com | @eddelbuettel | edd@debian.org

Reply to:

Follow-Ups:
- Bug#920804: release.debian.org: security upload for r-cran-readxl
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Bug#920804: release.debian.org: security upload for r-cran-readxl
  - From: Dirk Eddelbuettel <edd@debian.org>
- Bug#920804: release.debian.org: security upload for r-cran-readxl
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#920804: release.debian.org: security upload for r-cran-readxl
Next by Date: Bug#920804: release.debian.org: security upload for r-cran-readxl
Previous by thread: Bug#920804: release.debian.org: security upload for r-cran-readxl
Next by thread: Bug#920804: release.debian.org: security upload for r-cran-readxl
Index(es):
- Date
- Thread