[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)

Control: tags -1 - moreinfo

On 5/8/21 9:18 PM, Sebastian Ramacher wrote:
> On 2021-05-08 07:29:01 +0200, Bas Couwenberg wrote:
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian.org@packages.debian.org
>> Usertags: unblock
>>
>> Please unblock package mapserver to fix CVE-2021-32062 as reported in #988208.
>>
>> [ Reason ]
>> Fix security issue.
>>
>> [ Impact ]
>> Unfixed security issue.
>>
>> [ Tests ]
>> Upstream CI.
>>
>> [ Risks ]
>> Low, leaf package.
>>
>> [ Checklist ]
>>   [x] all changes are documented in the d/changelog
>>   [x] I reviewed all changes and I approve them
>>   [x] attach debdiff against the package in testing
>>
>> [ Other info ]
>> 0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is required as a dependency of 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch.
>>
>> unblock mapserver/7.6.2-2
> 
>> diff -Nru mapserver-7.6.2/debian/changelog mapserver-7.6.2/debian/changelog
>> --- mapserver-7.6.2/debian/changelog	2020-12-09 06:01:02.000000000 +0100
>> +++ mapserver-7.6.2/debian/changelog	2021-05-08 07:12:18.000000000 +0200
>> @@ -1,3 +1,12 @@
>> +mapserver (7.6.2-2) unstable; urgency=high
>> +
>> +  * Drop unused lintian overrides.
>> +  * Add upstream patches to fix CVE-2021-32062.
>> +    (closes: #988208)
>> +  * Update symbols file.
>> +
>> + -- Bas Couwenberg <sebastic@debian.org>  Sat, 08 May 2021 07:12:18 +0200
>> +
>>  mapserver (7.6.2-1) unstable; urgency=medium
>>  
>>    * Update symbols for other architectures.
>> diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides mapserver-7.6.2/debian/libmapserver2.lintian-overrides
>> --- mapserver-7.6.2/debian/libmapserver2.lintian-overrides	2020-08-06 05:34:57.000000000 +0200
>> +++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides	1970-01-01 01:00:00.000000000 +0100
>> @@ -1,3 +0,0 @@
>> -# Cannot easily be fixed
>> -file-references-package-build-path *
>> -
>> diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols mapserver-7.6.2/debian/libmapserver2.symbols
>> --- mapserver-7.6.2/debian/libmapserver2.symbols	2020-12-09 06:00:39.000000000 +0100
>> +++ mapserver-7.6.2/debian/libmapserver2.symbols	2021-05-08 07:11:08.000000000 +0200
>> @@ -945,6 +945,7 @@
>>   msCSVJoinPrepare@Base 6.2.1
>>   msCairoCleanup@Base 6.2.1
>>   msCalculateScale@Base 6.2.1
>> + msCaseEvalRegex@Base 7.6.2
>>   msCaseReplaceSubstring@Base 6.2.1
>>   msCheckLabelMinDistance@Base 7.0.0
>>   msCheckParentPointer@Base 6.2.1
>> @@ -1418,6 +1419,7 @@
>>   msIsGlyphASpace@Base 7.2.0
>>   msIsLayerQueryable@Base 6.2.1
>>   msIsOuterRing@Base 6.2.1
>> + msIsValidRegex@Base 7.6.2
> 
> This version is not high enough. The symbols need to be marked as
> requiring 7.6.2-2~

There are no rdeps of mapserver in Debian, so no users of the symbols file.

> Please remove the moreinfo tag once that fixed version is available in
> unstable.

mapserver (7.6.2-2) has been uploaded to unstable without further
changes to the symbols file.

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1
Reply to: