On 15/02/2019 13:31, Chris Lamb wrote: > Hi Mattias, > >> I submitted this jessie update to the release team, but was informed to >> contact you about it instead. What do I do? > > Indeed, they have sent you to the right place. :) As-per: > > https://wiki.debian.org/LTS/Development > > … we would fix CVE-2019-7659 via a jessie "LTS" security upload. > > I assume you are not part of the LTS team so you cannot follow the > procedure outlined above, but would you object if I took your patch > and did the upload and announcement myself?
Before pushing this, I was wondering if the change is safe. It is changing the signature of a public symbol. I don't think size_t and int are guaranteed to have the same size, thus it would be changing the ABI and rdeps would need to be rebuilt (in those cases where size_t and int have different sizes). And if we go down that slope, then libgsoap needs to bump the SONAME... Is that right? If so, would it be possible to just change the type to a ssize_t instead? Cheers, Emilio