On Wed, Mar 14, 2007 at 03:20:14PM +0100, Florian Ernst wrote: > the upcoming 2.42a-6 of blender addresses CVE-2007-1253 (eval injection > vulnerability in the kmz_ImportWithMesh.py script) currently affecting > unstable/testing only. > Upstream's take on this issue was to simply remove the buggy script, and > we decided to follow suit, so this fix is basically a one-liner.
> However, there are some late documentation fixes and an update to > debian/copyright we'd like to include as well, so I'm wondering whether > you might find the attached debdiff acceptable. > If not I will upload a new -6 containing just the changes you deem > acceptable and ask for propagation to testing once it will be built. AFAICS, a "user-assisted remote attacker" is not a high-priority security hole. So even that doesn't seem to be a reason for a freeze exception; please check with the security team on whether this should be fixed via the security upload queues. > + * As of 2.43, one needs to use a ``YESIAMSTUPID'' macro in > + source/creator/creator.c to be able to compile Blender on a 64-bit > system. > + This matter has not been advertised, but it mainly resides in the fact > + that Blender is not 64-bit safe, in particular with respect to saved and > + loaded files, especially when that happens between 32-bit and 64-bit > + systems. Attention was paid to 64-bit systems, efforts were made, but not > + enough to get a releasable version on those systems. Um, this is not an adequate solution. If the package is not "a releasable version on [64-bit] systems", then the binaries should be removed from the release, not just documented. > --- blender-2.42a.orig/debian/NEWS > +++ blender-2.42a/debian/NEWS > @@ -0,0 +1,16 @@ > +blender (2.42a-6) unstable; urgency=high > + > + * Blender is not 64-bit safe (yet), in particular with respect to saved and > + loaded files, especially when that happens between 32-bit and 64-bit > + systems. Attention was paid to 64-bit systems, efforts were made, but not > + enough to get a releasable version on those systems. > + > + * So, be aware that there might be issues with files manipulated on 64-bit > + systems, although everything could be or look fine. The file format might > + also change in further releases to make it 64-bit safe, which might lead > + to incompatibilities with the files saved with the current 64-bit builds. > + > + * More information is available in the README.Debian file, available under > + /usr/share/doc/blender/. > + > + -- Cyril Brulebois <[EMAIL PROTECTED]> Mon, 14 Mar 2007 12:01:01 +0100 It also doesn't seem to be "news", therefore doesn't belong in NEWS.Debian? -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
