Moritz Muehlenhoff <j...@inutil.org> wrote: > Package: icu > Severity: important > Tags: security > > Hi, > the issue CVE-2014-6585 from today's Oracle patch update > (http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html) > is actually a vulnerability in ICU (since Java embeds a copy). Red Hat > has tracked this down further and isolated the patch, please see > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6591 for more > details. The patch isn't in ICU trunk yet, so please forward it > upstream unless they are not aware of it yet. It would be nice to > get that fixed in jessie. > > Actually there's another one: > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6591
The patch was easy to apply to ICU 52, which is in Jessie. It didn't apply perfectly, but it was very easy to see how to apply it manually. I noticed that the RedHat bug is closed with WONTFIX but it also looks like they have a RHSA that addresses it. As for whether my application of the patch is correct, all I have to go on is whether ICU's test suite passes, which it does. I'll upload 52.1-7 to unstable with urgency=high (though I believe urgency is ignored right now) and will request a freeze exception justified by this fixing a security bug. Please advise as to whether this should be fixed in stable. I'm not sure how urgent it is given that a formal CVE has not yet been issued (right?) and that this is classified as low risk. -- Jay Berkenbilt <q...@debian.org> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
