Hi Salvatore, On 01/08/2014 10:09 AM, Salvatore Bonaccorso wrote: > On Wed, Jan 08, 2014 at 08:40:35AM +0100, Sebastiaan Couwenberg wrote: >> On 01/08/2014 08:25 AM, Salvatore Bonaccorso wrote: >>> If you fix the vulnerability please also make sure to include the >>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry. >> >> The new mapserver packages were prepared before the CVE was available.
I've prepared new mapserver packages for squeeze and wheezy with only the fix for this CVE, the new stable upstream release route I initially took is not proper to fix this issue. mapserver (6.0.1-3.2+deb7u2) for wheezy: http://mentors.debian.net/debian/pool/main/m/mapserver/mapserver_6.0.1-3.2+deb7u2.dsc mapserver (5.6.5-2+squeeze3) for squeeze: http://mentors.debian.net/debian/pool/main/m/mapserver/mapserver_5.6.5-2+squeeze3.dsc The squeeze package contained debhelper.log files in the debian/ directory, which caused problems for clean pbuilder builds so they were removed. And dpatch insisted in changing the permissions. I've included these changes in the squeeze package too. >>> Please adjust the affected versions in the BTS as needed, at least >>> unstable from looking at source seems affected. >> >> Unstable is no longer affect with the upload of mapserver 6.4.1, wheezy >> and squeeze still are, but the proposed updates for both are waiting for >> feedback from the release team: > > Could you clarify if second commit referenced in > > https://github.com/mapserver/mapserver/issues/4834 > (WFS-2 specific fixes for postgis time sql injections (#4834,#4815)) > > is also needed? Is this relevant for Debian? No, the WFS-2 specific commit shouldn't be relevant for Debian yet. The vulnerability was discovered during the implementation of WFS 2.0 support in MapServer. That support only lives in the master branch for now and will be included in the next major upstream release. > Thanks for your work, and regards, > Salvatore If the security-team approves the package changes, shall I ask my sponsor to upload the packages? Kind Regards, Bas -- GnuPG: 0xE88D4AF1 (new) / 0x77A975AD (old) _______________________________________________ Pkg-grass-devel mailing list Pkgfirstname.lastname@example.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel