Bug#988224: unblock: mapserver/7.6.2-2 (pre-approval)
Control: tags -1 - moreinfo
On 5/8/21 9:18 PM, Sebastian Ramacher wrote:
> On 2021-05-08 07:29:01 +0200, Bas Couwenberg wrote:
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian.org@packages.debian.org
>> Usertags: unblock
>>
>> Please unblock package mapserver to fix CVE-2021-32062 as reported in #988208.
>>
>> [ Reason ]
>> Fix security issue.
>>
>> [ Impact ]
>> Unfixed security issue.
>>
>> [ Tests ]
>> Upstream CI.
>>
>> [ Risks ]
>> Low, leaf package.
>>
>> [ Checklist ]
>> [x] all changes are documented in the d/changelog
>> [x] I reviewed all changes and I approve them
>> [x] attach debdiff against the package in testing
>>
>> [ Other info ]
>> 0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is required as a dependency of 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch.
>>
>> unblock mapserver/7.6.2-2
>
>> diff -Nru mapserver-7.6.2/debian/changelog mapserver-7.6.2/debian/changelog
>> --- mapserver-7.6.2/debian/changelog 2020-12-09 06:01:02.000000000 +0100
>> +++ mapserver-7.6.2/debian/changelog 2021-05-08 07:12:18.000000000 +0200
>> @@ -1,3 +1,12 @@
>> +mapserver (7.6.2-2) unstable; urgency=high
>> +
>> + * Drop unused lintian overrides.
>> + * Add upstream patches to fix CVE-2021-32062.
>> + (closes: #988208)
>> + * Update symbols file.
>> +
>> + -- Bas Couwenberg <sebastic@debian.org> Sat, 08 May 2021 07:12:18 +0200
>> +
>> mapserver (7.6.2-1) unstable; urgency=medium
>>
>> * Update symbols for other architectures.
>> diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides mapserver-7.6.2/debian/libmapserver2.lintian-overrides
>> --- mapserver-7.6.2/debian/libmapserver2.lintian-overrides 2020-08-06 05:34:57.000000000 +0200
>> +++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides 1970-01-01 01:00:00.000000000 +0100
>> @@ -1,3 +0,0 @@
>> -# Cannot easily be fixed
>> -file-references-package-build-path *
>> -
>> diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols mapserver-7.6.2/debian/libmapserver2.symbols
>> --- mapserver-7.6.2/debian/libmapserver2.symbols 2020-12-09 06:00:39.000000000 +0100
>> +++ mapserver-7.6.2/debian/libmapserver2.symbols 2021-05-08 07:11:08.000000000 +0200
>> @@ -945,6 +945,7 @@
>> msCSVJoinPrepare@Base 6.2.1
>> msCairoCleanup@Base 6.2.1
>> msCalculateScale@Base 6.2.1
>> + msCaseEvalRegex@Base 7.6.2
>> msCaseReplaceSubstring@Base 6.2.1
>> msCheckLabelMinDistance@Base 7.0.0
>> msCheckParentPointer@Base 6.2.1
>> @@ -1418,6 +1419,7 @@
>> msIsGlyphASpace@Base 7.2.0
>> msIsLayerQueryable@Base 6.2.1
>> msIsOuterRing@Base 6.2.1
>> + msIsValidRegex@Base 7.6.2
>
> This version is not high enough. The symbols need to be marked as
> requiring 7.6.2-2~
There are no rdeps of mapserver in Debian, so no users of the symbols file.
> Please remove the moreinfo tag once that fixed version is available in
> unstable.
mapserver (7.6.2-2) has been uploaded to unstable without further
changes to the symbols file.
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
Reply to: