Control: tags -1 moreinfo On 2021-05-08 22:17:42 +0200, Sebastiaan Couwenberg wrote: > Control: tags -1 - moreinfo > > On 5/8/21 9:18 PM, Sebastian Ramacher wrote: > > On 2021-05-08 07:29:01 +0200, Bas Couwenberg wrote: > >> Package: release.debian.org > >> Severity: normal > >> User: release.debian.org@packages.debian.org > >> Usertags: unblock > >> > >> Please unblock package mapserver to fix CVE-2021-32062 as reported in #988208. > >> > >> [ Reason ] > >> Fix security issue. > >> > >> [ Impact ] > >> Unfixed security issue. > >> > >> [ Tests ] > >> Upstream CI. > >> > >> [ Risks ] > >> Low, leaf package. > >> > >> [ Checklist ] > >> [x] all changes are documented in the d/changelog > >> [x] I reviewed all changes and I approve them > >> [x] attach debdiff against the package in testing > >> > >> [ Other info ] > >> 0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is required as a dependency of 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch. > >> > >> unblock mapserver/7.6.2-2 > > > >> diff -Nru mapserver-7.6.2/debian/changelog mapserver-7.6.2/debian/changelog > >> --- mapserver-7.6.2/debian/changelog 2020-12-09 06:01:02.000000000 +0100 > >> +++ mapserver-7.6.2/debian/changelog 2021-05-08 07:12:18.000000000 +0200 > >> @@ -1,3 +1,12 @@ > >> +mapserver (7.6.2-2) unstable; urgency=high > >> + > >> + * Drop unused lintian overrides. > >> + * Add upstream patches to fix CVE-2021-32062. > >> + (closes: #988208) > >> + * Update symbols file. > >> + > >> + -- Bas Couwenberg <sebastic@debian.org> Sat, 08 May 2021 07:12:18 +0200 > >> + > >> mapserver (7.6.2-1) unstable; urgency=medium > >> > >> * Update symbols for other architectures. > >> diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides mapserver-7.6.2/debian/libmapserver2.lintian-overrides > >> --- mapserver-7.6.2/debian/libmapserver2.lintian-overrides 2020-08-06 05:34:57.000000000 +0200 > >> +++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides 1970-01-01 01:00:00.000000000 +0100 > >> @@ -1,3 +0,0 @@ > >> -# Cannot easily be fixed > >> -file-references-package-build-path * > >> - > >> diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols mapserver-7.6.2/debian/libmapserver2.symbols > >> --- mapserver-7.6.2/debian/libmapserver2.symbols 2020-12-09 06:00:39.000000000 +0100 > >> +++ mapserver-7.6.2/debian/libmapserver2.symbols 2021-05-08 07:11:08.000000000 +0200 > >> @@ -945,6 +945,7 @@ > >> msCSVJoinPrepare@Base 6.2.1 > >> msCairoCleanup@Base 6.2.1 > >> msCalculateScale@Base 6.2.1 > >> + msCaseEvalRegex@Base 7.6.2 > >> msCaseReplaceSubstring@Base 6.2.1 > >> msCheckLabelMinDistance@Base 7.0.0 > >> msCheckParentPointer@Base 6.2.1 > >> @@ -1418,6 +1419,7 @@ > >> msIsGlyphASpace@Base 7.2.0 > >> msIsLayerQueryable@Base 6.2.1 > >> msIsOuterRing@Base 6.2.1 > >> + msIsValidRegex@Base 7.6.2 > > > > This version is not high enough. The symbols need to be marked as > > requiring 7.6.2-2~ > > There are no rdeps of mapserver in Debian, so no users of the symbols file. It's technically wrong. If you introduce symbols with a patch, the symbols need to be properly versioned. After all, there is a user of the symbols file and that is mapserver itself. If you have to introduce calls to those two symbols outside of libmapserver in the next patch, the dependency on libmapserver is wrong. > > > Please remove the moreinfo tag once that fixed version is available in > > unstable. > > mapserver (7.6.2-2) has been uploaded to unstable without further > changes to the symbols file. Again, please remove the moreinfo tag only once a fixed version is available in unstable. Cheers > > Kind Regards, > > Bas > > -- > GPG Key ID: 4096R/6750F10AE88D4AF1 > Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1 > -- Sebastian Ramacher
Attachment:
signature.asc
Description: PGP signature