Control: tag -1 confirmed Hi Jörg,
Jörg Frings-Fürst <[email protected]> (2017-05-28): > I have the release 5.9.5-3.2+deb8u1 with fixes for the CVE's: > > CVE-2017-9224 > CVE-2017-9226 > CVE-2017-9227 > CVE-2017-9228 > CVE-2017-9229 > > ready, The debdiff is attached. It seems there was some kind of coordination with the security team, since I see “no-dsa” mentioned in the security tracker, but feel free to mention this upfront in your next pu requests. A few remarks: - patch -p1 was unhappy with the debian/patches/series update. :) - funny things, using square brackets in filenames. I suspect it would have been nice to have separate patches for each bug fix, in case someone needs to dig into one or another, but oh well, having them all lumped together isn't that bad. A few comments: > diff -Nru libonig-5.9.5/debian/changelog libonig-5.9.5/debian/changelog > --- libonig-5.9.5/debian/changelog 2014-12-28 12:11:12.000000000 +0100 > +++ libonig-5.9.5/debian/changelog 2017-05-28 16:59:55.000000000 +0200 > @@ -1,3 +1,15 @@ > +libonig (5.9.5-3.2+deb8u1) stable; urgency=medium Please always use codenames, and target jessie instead. > + * New debian/patches/0500-CVE-2017-922[4-9].patch: > + - Cherrypicked from upstream to correct: > + + CVE-2017-9224 (Closes: #863312) > + + CVE-2017-9226 (Closes: #863314) > + + CVE-2017-9227 (Closes: #863315) > + + CVE-2017-9228 (Closes: #863316) > + + CVE-2017-9229 (Closes: #863318) > + > + -- Jörg Frings-Fürst <[email protected]> Sun, 28 May 2017 16:59:55 > +0200 […] > --- libonig-5.9.5/debian/patches/0500-CVE-2017-922[4-9].patch 1970-01-01 > 01:00:00.000000000 +0100 > +++ libonig-5.9.5/debian/patches/0500-CVE-2017-922[4-9].patch 2017-05-26 > 07:07:41.000000000 +0200 > @@ -0,0 +1,121 @@ > +Correct CVE-2017-922[4-9] > + Fix mutilple invalid pointer dereference, out-of-bounds write memory > + corruption and stack buffer overflow, > +Origin: Cheerypicked from upstream (multiple & cherrypicked) With the target distribution (and maybe typos) fixed, feel free to upload; thanks. KiBi.
signature.asc
Description: Digital signature
