On 02/03/2017 11:06 AM, Guido Günther wrote: > On Fri, Feb 03, 2017 at 10:07:55AM +0100, Sebastiaan Couwenberg wrote: >> Dear LTS Team, >> >> Vincent Privat of the JOSM development team have provided a fix for >> CVE-2017-5617 (#853134). >> >> I've included a patch with his changes in the Debian package, and >> uploaded it to unstable, and backported the patch for the jessie & >> wheezy packages. >> >> Affected versions: >> >> * jessie: 0~svn95-1 >> * wheezy: 0~svn95-1 >> >> Fixed versions: >> >> * jessie: 0~svn95-1+deb8u1 >> * wheezy: 0~svn95-1+deb7u1 >> >> Are these changes OK for upload to security-master? > > Thanks for looking into this! > > Looks good from the LTS point of view (wheezy-security)! Feel free to > upload. Since you did not cc the security team ([email protected]) for > jessie-security I assume you sent a separate mail?
Correct, see: https://lists.debian.org/debian-java/2017/02/msg00009.html > Do you want to send the DLA as well or should I handle it? I'm a little short on time as I'm leaving for FOSDEM in an hour, so if you can handle the DLA that'd be great. Thanks in advance! > Note that you can only upload the orig.tar.gz once (either for > wheezy-security or jessie-security) since both use the same upstream > versions. I built the jessie revision with -sa which was just uploaded to security-master, so I'll build the wheezy revision without it. Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
