On Wed, 2011-11-30 at 14:22 -0430, Miguel Landaeta wrote: > I have prepared an upload to fix #650430 / CVE-2011-4358. > > This bug affects mojarra 2.0.3-1 in stable.
Thanks for working on this. > I'm attaching the debdiff with the backported patch that fix > this issue and the updated package meant for squeeze. It's not exactly a minimal patch - admittedly we've seen worse. :) I'm guessing that the .properties changes and the pulling in of logging code are part of the upstream patch, although I'm not really sure how they contribute to fixing the bug. Maybe I'm just getting cynical in my old age. :) > I plan to do an urgent upload to unstable before the weekend. It might be obvious and predictable, but for the record - the unstable upload needs to happen before stable. Preferably unstable wants to be fixed for a few days at least, in order to verify that no obvious regressions occur. > A patch and a link to a PoC can be found in the body of #650430 report. Have the security team confirmed that they don't wish to handle this via a DSA? I couldn't see any thing in the bug report or the security tracker which mentions not doing so. Regards, Adam -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
