Hi László, hi Ondřej,

On  Do 31 Dez 2015 19:01:33 CET, László Böszörményi (GCS) wrote:

On Thu, Dec 31, 2015 at 10:04 AM, Ondřej Surý <ond...@debian.org> wrote:
I have a git mirror[1] (git cvsimport) of upstream CVS and right now
it's a tad bit confusing which patches are relevant to those CVEs.
 I've packaged 4.0.6, fixed two CVEs and two other vulnerabilities
that don't have an id. However CVE-2015-8668 is not yet fixed by
upstream as I see.

I will have more time cherry-picking the patches next week, so if
somebody starts the work (even for unstable), I really won't mind. In
fact it would be much appreciated.
 I'm going to finish my investigations tomorrow even if my employer
counts on me from 6am. Will do the upload and other fixes can come in
later as upstream commit those.

Also feel free to prepare Debian LTS update, I will share relevant
patches, but we'll have to prepare security update for jessie and wheezy
(+ tiff3 for wheezy), so feel free to take care about this in Debian LTS
 I can do the Wheezy + Jessie updates as well. But I've accepted
Raphaël's advice not to do LTS security work so I follow Ondřej here:
you can do the Squeeze LTS update yourself.

I (with my LTS team hat on) just signed up for looking at fixing tiff in squeeze-lts.

@László: once you finished your research tomorrow, could you send a short summary with your findings (or even upload a new package version to unstable)?


mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de


Attachment: pgp_42zjuAAts.pgp
Description: Digitale PGP-Signatur

Reply via email to