Bug#920804: release.debian.org: security upload for r-cran-readxl
On 30 January 2019 at 13:11, Adam D. Barratt wrote:
| On 2019-01-29 11:53, Dirk Eddelbuettel wrote:
| > This is a follow-up to the discussion in #919324 and subsequent emails
| > with
| > Moritz and Salvatore. The two CVEs are genuine and fixed, the issue
| > however
| > is no a full-blown denial-of-service etc so Moritz suggested a normal
| > security upload.
| >
| > The debdiff is included below, with the distribution changed from
| > stretch-security to just stretch.
| >
| > Happy to upload once you give a green light. (System information
| > remove as I
| > type this on Ubuntu 18.10 ...)
|
| Apparently it was already uploaded.
|
| patches/updated-upstream-changes | 2699
| +++++++++++++++++++++++++++++++++++++++
To unstable, yes - as 1.2.9000-1. But Moritz asked me to also upload to
stretch. See https://packages.debian.org/search?keywords=r-cran-readxl
| Aside from being big enough to be non-trivial to review, the filename of
| that patch isn't ideal. If there are other upstream changes that need
| incorporating in future, are you simply planning on appending to that
| patch, rather than having separate patches for specific purposes?
This is Debian packaging of the CRAN package readxl. It's current upstream
version is in better shape.
I "have to" run this fix as CVE had been issued. As Moritz (now CCed)
suggested that this doesn't need a full blown security upload (no DOS here,
just plain segfaults in R when libxls loaded) we went this route.
| I noticed that your changelog includes a Closes: for this bug. Please
| don't do that. Bugs against release.d.o for stable updates get closed by
| us once the package is actually in stable (i.e. after a point release
| which includes the update has been released); uploading the package is
| some way from the end of the process of the fix being available for end
| users.
Sorry my bad. I don't security uploads to stable often and am not as smooth
as I could be for lack of practice.
Is there anything you need correcting so badly that we need a new upload from
me? If so can you spell out please in clear detail what needs changing.
Many thanks, Dirk
| Regards,
|
| Adam
--
http://dirk.eddelbuettel.com | @eddelbuettel | edd@debian.org
Reply to: