On Fri, May 04, 2018 at 09:10:47PM +0200, Maximiliano Curia wrote:
> ¡Hola Moritz!
>
> El 2018-05-03 a las 23:18 +0200, Maximiliano Curia escribió:
> > ¡Hola Moritz!
>
> > El 2018-05-03 a las 22:56 +0200, Moritz Muehlenhoff escribió:
> > > On Thu, May 03, 2018 at 07:29:42PM +0200, Maximiliano Curia wrote:
> > > > Hi,
>
> > > > Following up the upstream announcement of a security flaw in
> > > > kwallet-pam [1] I would like to upload the upstream fixes to
> > > > stretch. All the versions prior the (not yet released) 5.12.6 are
> > > > affected by this. The fix was backported by upstream to plasma 5.8,
> > > > which is what we shipped in stretch.
>
> > > > The latest 5.8 upstream version (5.8.9), only has a version bump,
> > > > and a minor translation update, which are not relevant. [2]
>
> > > > I have already uploaded the fixes to unstable.
>
> > > > I'm attaching the corresponding debdiff.
>
> > > Looks good. Please build with -sa since kwallet-pam is new in
> > > stretch-security
> > > and upload to security-master. I'll take care of the DSA.
>
> > Uploaded, thanks for taking care of this!
>
> If you the patched versions are still not published, please don't publish
> them, there are a couple of reported regressions with the patches as is.
>
> https://bugs.kde.org/show_bug.cgi?id=393856
>
> https://bugs.debian.org/897687
>
> https://bugs.launchpad.net/ubuntu/+source/kwallet-pam/+bug/1769187
>
> https://bugs.archlinux.org/task/58446?project=1&string=kwallet-pam
>
> I'm really sorry about this.
That's great timing :-)
I was about to test and release the update this evening, but I'll
put in on hold for now.
Cheers,
Moritz
