Hello Nguyen, first of all I noticed that "e2fsprogs" was not in "dla-needed.txt" but that you added it yourself. I would suggest to not do that unless you want to help with CVE triaging.
In this case, the issue has been marked "no-dsa" for wheezy by the security team and this issue would have disappeared from https://security-tracker.debian.org/tracker/status/release/oldstable when someone of the LTS team would have tagged it "no-dsa" for squeeze as well. The best way to help the LTS team is to concentrate your efforts on issues that have been classified as severe enough and that have been added to data/dla-needed.txt by someone who has been doing CVE triaging. That said, now that you prepared this update, I'm going to upload it. On Tue, 10 Feb 2015, Nguyen Cong wrote: > Oops, stupid mistakes. > I have fixed it, could you please check it again. It looks good. Did you test it? When you're asking someone else to upload it for you, you need to give us some confidence that the upload won't break anything. As such, telling us the tests you did is a good idea. Also the description you write for the announce should target end users and not programmers. So "libext2fs was vulnerable to a potential buffer overflow if s_first_meta_bg is too big. This fix doesn't correct the bad value of s_first_meta_bg but avoids causing e2fsprogs userspace programs from potential crashing." is not really satisfactory. I would suggest something simpler: « A broken (or maliciously crafted) file system could trigger a buffer overflow in e2fsprogs. » Anyway, I have tested the update and sent the package. The announce will follow. Thanks for your help! -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
