* Ivo De Decker: >> The new version contains fixes for two issues for which CVE entries have >> been requested[1]. >> >> Other issues are fixed in this version, but since the only reverse >> dependencies are built from libguestfs (same upstream author, also >> maintained by me), I see little danger of unexpected breakage. > > This does not seem to comply with the freeze policy. If you think it does, > please explain the individual changes. If not, please revert the upstream > version and do a targeted fix.
Here is the list of changes from upstream git between 1.3.10 and 1.3.11, along with some explanations. f1cce9c * perl: Provide alternate definition of newSVpvn_utf8 for older Perl. This just used for ancient RedHat versions. It is irrelevant for jessie, but does no harm. cea8dbf * generator: Fix a spelling mistake in the documentation (RHBZ#1099286). A cosmetic fix. 2bde2be * Fix garbage return value on error e3918bd * Fix overly long assertion string These two fix bugs that I would consider important. 7fb0619 * Silence dead assigmnents/initialization/increments 01fd565 * Avoid calling calloc(0, x) 75855a5 * python: expose package version 284b1e7 * python: move module to separate directory b46d008 * python: export hive_types constants b9ac714 * Ignore python/hivex directory. These are mostly cosmetic fixes. f70c79e * python: use errors more specific than RuntimeError 73083c0 * python: use PyErr_NoMemory 4c57237 * python: check some types for get_value 3bfb2f1 * python: fix crash by validating key and value 654b7e4 * python: add heavier tests for setvalue The above five make the Python API more usable. I'd consider that important. cc709b7 * generator: Fix mixed tabs/spaces Cosmetic fixes. 9763f96 * value: Set errno = 0 on non-error path in hivex_value_data_cell_offset (RHBZ#1145056). Fixes bug on error path. I'd consider that important. 914d9b9 * hivexml: Tidy up error handling and printing. Low priority. 357f26f * handle: Refuse to open files < 8192 bytes in size. 4bbdf55 * handle: Check that pages do not extend beyond the end of the file. These two are thought to be CVE-worthy by somebody at Red Hat -> at least important. dba4e1e * extra-tests: Add trivial fuzz tester. Not really needed. Cheers, -Hilko -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
