-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Johan,
On 13-11-15 11:46, Sebastiaan Couwenberg wrote: > On 13-11-15 06:45, Salvatore Bonaccorso wrote: >> On Thu, Nov 12, 2015 at 10:31:55PM +0100, Sebastiaan Couwenberg >> wrote: >>> Dear Security Team, >>> >>> The patch to fix multiple vulnerabilities identified by >>> American Fuzzy Lop reported in #781228 caused a regressed as >>> reported in the GDAL issue tracker: >>> >>> https://trac.osgeo.org/gdal/ticket/6200 >>> >>> The change to fix this regression was included in freexl >>> (1.0.1-1~exp1), but not in the security updates for jessie >>> (1.0.0g-1+deb8u1) & wheezy (1.0.0b-1+deb7u1). >>> >>> I've prepared updates to fix this regression for jessie & >>> wheezy, see the attached debdiffs. >>> >>> Are these regression fixes appropriate for upload to >>> {wheezy,jessie}-security or should they be uploaded to >>> proposed-updates instead? >> >> Since the regression was introduced via a DSA, we might address >> this regression trough af follow-up DSA: >> >> s/UNRELEASED/wheezy-security/ and urgency=high set or >> respectively jessie-security for the second one. >> >> With the above changes please go ahead with your upload to >> security-master. >> >> Thanks for your work and pinging us about the regression. > > Thanks for the quick feedback, > > I've set the distribution and urgency as appropriate for security > uploads and uploaded both to security-master. We also need this regression fix uploaded for Ubuntu trusty & vivid. Shall I also do those, or can you take care of the uploads for Ubuntu? Please note that besides afl-vulnerabilitities-regression.patch we may also want to include 32bit-multiplication-overflow.patch in the update, this issue hasn't been fixed in Ubuntu yet. Kind Regards, Bas - -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJWRcD/AAoJEGdQ8QrojUrxJecQANnvaMmqGsXU10ILXyghNKBy q3PkYvGar1sAH1hkan5GbmiriZQdceVcflomlSgejJeUgv/92wcmHgfoPLRJ96yb xNP6GNywa950zeeSyuZfonAti4dfCAF7jW7P0sgxs70gSY9qsHRaCMBbomHGzhd2 OGJ2yROYDZbYCm+kPlOEc56KqONH92OVj7TSyAcD7r7UXdQUKbUXzTyC75CIWopZ 1qSWZMwt25CND81SVker1Owli6jrQV0vYhFJEhF1guZUp50uOuyMVpsgs6kLJFLX k4z8SYPHcqshGWc0anrkqhXr08tw0d4Sal5PFn/7PAdDmpq1f7Tf7h0PD2GHHY19 oXoNTfj0LOHmML5FKPKnzj0E9tqXbvBTbJ3yLaRq79C848til5syQHyYGwkz/xcP kQq/gXEl+nQVK2DUYXVAJTvy0/KybsEv1gEMgGTWBnjjGmylOD6ihxoCSUtQ4Ftd Pizrm5VYUNou+H8OZ+3+Jd07yqWHPrDIO4Sqq4rDC29lpu0uzZouvtW0Y1KTBNlf uTvQKx1Z0yDEYTTnriziPKbkrhJkuHm1k1n+fJpGmAvlOYwbqz1flbPzEZL6kt4r mnx8wSXwFqBgojzLFMqfVYYAKHkaUmOLzgbe0Xz1kkJ1Qf3c9yFWdwAY2AHLLihR XuORn7hsmCd0cFQUczhu =FzIY -----END PGP SIGNATURE-----
