On 2016-05-12 15:07:19, Roberto C. Sánchez wrote:
> Hi Antoine,
>
> On Mon, May 09, 2016 at 05:09:30PM +0200, Markus Koschany wrote:
>> Hello Roberto, welcome on board!
>>
>> Am 08.05.2016 um 05:34 schrieb Roberto C. Sánchez:
>>
>> > I pulled the patch for CVE-2015-4844 from the upstream jdk8u project
>> > (based on the commit reference in openjdk-8's debian/changelog). I
>> > confirmed that this fix matched what was done by upstream in their
>> > subversion repository.
>> >
>> > I pulled the patch for CVE-2016-0494 from the upstream jdk8u project
>> > (based on the commit reference in openjdk-8's debian/changelog). I
>> > attempted to confirm this fix in upstream's subversion repository, but
>> > it appears to not have been fixed upstream yet.
>>
>> Antoine (anarcat) fixed this issue for Squeeze LTS and he also left some
>> comments at
>>
>> https://ssl.icu-project.org/trac/ticket/12020
>>
>> He also changed the runConfigure script and his patch for CVE-2016-0494
>> looks different to me. Perhaps you should contact him (or he will simply
>> respond to this message because he is subscribed too), discuss this
>> patch with him and ask him why his approach contains more changes than
>> the original upstream commit at
>>
>> http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/f556d4c82ef1
>>
>
> Do you think you might have some time to review the icu updated I
> prepared for wheezy?
I will unfortunately not be able to do that until next week, unless
there's some sort of emergency. But given that this package has been
rotting there for a while, I don't feel like i should just drop
everything just yet. ;)
Is that alright?
A.
--
One has a moral responsibility to disobey unjust laws.
- Martin Luther King, Jr.
