On Sun, Oct 03, 2010 at 04:01:11PM +0200, Julien Cristau wrote: > On Thu, Sep 30, 2010 at 14:47:46 -0700, John Stamp wrote: > > > Please unblock package lastfm > > > > It contains a security relevant bugfix: CVE-2010-3362 (#598294) > > > It also contains a bunch of other unrelated changes, not documented in > the changelog. > > Cheers, > Julien
Yikes. I'm sorry about that. I backed out the undocumented patches and uploaded -6, which now only adds the fix for CVE-2010-3362. The diff from the version in testing is below: diff --git a/debian/changelog b/debian/changelog index 4ee2479..47f5048 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,16 @@ +lastfm (1:1.5.4.26862+dfsg-6) unstable; urgency=high + + * Back out the undocumented changes that sneaked in with -5. We only want + the fix for CVE-2010-3362. + + -- John Stamp <[email protected]> Mon, 04 Oct 2010 13:23:01 -0700 + +lastfm (1:1.5.4.26862+dfsg-5) unstable; urgency=high + + * Fix CVE-2010-3362: insecure library loading (Closes: #598294) + + -- John Stamp <[email protected]> Thu, 30 Sep 2010 14:03:23 -0700 + lastfm (1:1.5.4.26862+dfsg-4) unstable; urgency=low * Bump Standards-Version to 3.9.1. No changes needed. diff --git a/debian/package-files/bin/lastfm b/debian/package-files/bin/lastfm index 34a2487..aef3654 100755 --- a/debian/package-files/bin/lastfm +++ b/debian/package-files/bin/lastfm @@ -1,5 +1,5 @@ #!/bin/sh RUNDIR="/usr/lib/lastfm" -export LD_LIBRARY_PATH="${RUNDIR}:${LD_LIBRARY_PATH}" +export LD_LIBRARY_PATH="${RUNDIR}${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" exec "${RUNDIR}/last.fm" "$@" Regards, John Stamp -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/20101004205931.ga1...@pintsize
