Re: request to send update packages for ulfius, rhonabwy and glewlwyd

To: Jonathan Wiltshire <jmw@debian.org>
Cc: debian-release@lists.debian.org
Subject: Re: request to send update packages for ulfius, rhonabwy and glewlwyd
From: Nicolas Mora <babelouest@debian.org>
Date: Mon, 20 Sep 2021 17:42:49 -0400
Message-id: <[🔎] 889621df-43dd-34b8-fc15-1b980254c0a8@debian.org>
In-reply-to: <[🔎] YUj24FeWcZThZjor@powdarrmonkey.net>
References: <[🔎] 9ed019b0-0dc8-5edc-35ba-3c75501e2d6a@debian.org> <[🔎] YUj24FeWcZThZjor@powdarrmonkey.net>

Hello Johnatan,

Thanks for your answer, I have a couple of questions though, to makesure I'm in the right track before the pu window closes. It's my firstpu upload, so I'm a little confused.


Le 2021-09-20 à 17 h 02, Jonathan Wiltshire a écrit :


Please see the guidance in the developer's reference [1] and use reportbug
to submit your request(s). In particular you need to include a source
debdiff of the proposed changes.

I follow the dev reference to make my changes but something's not clearfor me.

I've opened the bug #994763 "Fix CVE-2021-40540 in bullseye", I've beenanswered to merge this bug with the original one (#993851) because it'snot needed to fill a separate bug for the suites in

which I want to fix a bug.

So I just have to attach the debdiff files for bullseye and buster inthe original bug #993851 ?


See diff file attached for the debdiff I intend to post.

After that, I can dput ftp-master the new packages. Am I correct?

Thanks!

/Nicolas

diff -Nru ulfius-2.7.1/debian/changelog ulfius-2.7.1/debian/changelog
--- ulfius-2.7.1/debian/changelog	2021-01-03 09:03:05.000000000 -0500
+++ ulfius-2.7.1/debian/changelog	2021-09-19 15:39:39.000000000 -0400
@@ -1,3 +1,9 @@
+ulfius (2.7.1-1+deb11u1) bullseye; urgency=medium
+
+  * d/patches: Fix CVE-2021-40540
+
+ -- Nicolas Mora <babelouest@debian.org>  Sun, 19 Sep 2021 15:39:39 -0400
+
 ulfius (2.7.1-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru ulfius-2.7.1/debian/patches/CVE-2021-40540.patch ulfius-2.7.1/debian/patches/CVE-2021-40540.patch
--- ulfius-2.7.1/debian/patches/CVE-2021-40540.patch	1969-12-31 19:00:00.000000000 -0500
+++ ulfius-2.7.1/debian/patches/CVE-2021-40540.patch	2021-09-19 15:39:20.000000000 -0400
@@ -0,0 +1,13 @@
+Description: Fix CVE-2021-40540
+Author: Nicolas Mora <babelouest@debian.org>
+Forwarded: not-needed
+--- a/src/ulfius.c
++++ b/src/ulfius.c
+@@ -207,6 +207,7 @@
+   UNUSED(cls);
+ 
+   if (con_info != NULL) {
++    memset(con_info, 0, sizeof(struct connection_info_struct));
+     con_info->callback_first_iteration = 1;
+     con_info->u_instance = NULL;
+     u_map_init(&con_info->map_url_initial);
diff -Nru ulfius-2.7.1/debian/patches/series ulfius-2.7.1/debian/patches/series
--- ulfius-2.7.1/debian/patches/series	2021-01-03 09:03:05.000000000 -0500
+++ ulfius-2.7.1/debian/patches/series	2021-09-19 15:39:39.000000000 -0400
@@ -1,2 +1,3 @@
 examples.patch
 doc.patch
+CVE-2021-40540.patch

Reply to:

Follow-Ups:
- Re: request to send update packages for ulfius, rhonabwy and glewlwyd
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- request to send update packages for ulfius, rhonabwy and glewlwyd
  - From: Nicolas Mora <babelouest@debian.org>
- Re: request to send update packages for ulfius, rhonabwy and glewlwyd
  - From: Jonathan Wiltshire <jmw@debian.org>

Prev by Date: Processed: reopening 990623, block 990623 with 994393
Next by Date: Processed: bullseye-pu: package iotop-c/1.17-1
Previous by thread: Re: request to send update packages for ulfius, rhonabwy and glewlwyd
Next by thread: Re: request to send update packages for ulfius, rhonabwy and glewlwyd
Index(es):
- Date
- Thread