On Wed, 2013-03-20 at 17:06 +0900, Hideki Yamane wrote: > I'd like to upload smarty package to fix CVE-2012-4437. > Security team suggest me to upload it to s-p-u. > Please check attached debdiff.
+smarty (2.6.26-1) stable-proposed-updates; urgency=high 2.6.26-0.2+squeeze1 would be more conventional. + * QA upload. + * add debian/patches/avoid_possible_script_execution_from_2.6.27.patch + - CVE-2012-4437: cherry picked from upstream, prevent XSS (Closes: #702710) + Thanks to Yoshinari Takaoka <[email protected]> for the report. The fix for the XSS looks fine, but: diff -Nru smarty-2.6.26/debian/source/format smarty-2.6.26/debian/source/format --- smarty-2.6.26/debian/source/format 1970-01-01 09:00:00.000000000 +0900 +++ smarty-2.6.26/debian/source/format 2013-03-10 22:31:20.000000000 +0900 @@ -0,0 +1 @@ +3.0 (quilt) Definitely not in a stable update. Regards, Adam -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
