Hi Nico, On Sat, 22 Dec, 2007 at 07:46:12PM +0100, Nico Golde wrote: > Hi Varun, > * Varun Hiremath <[EMAIL PROTECTED]> [2007-12-22 19:12]: > > On Sat, 22 Dec, 2007 at 04:29:31PM +0100, Nico Golde wrote: > > > Hi, > > > attached is a patch for an NMU which fixes these issues. > > > It will be also archived on: > > > http://people.debian.org/~nion/nmu-diff/libjfreechart-java-1.0.8-1_1.0.8-1.1.patch > > > > These two patches are included in the new upstream release 1.0.8a > > which we already have ready for upload, but it introduces new bugs > > [1]. > > Oh thanks I missed this in the bug report. > > > The bug [1] has been fixed in the jfreechart-1.0.x-branch but > > that branch doesn't seem to include the security fixes, so we can't > > update to that branch also. So, we thought of waiting for the new > > 1.0.9 release which should happen any time next week. > > Waiting for security releases is considered to be bad if you > can gather the information for fixing this issue. > > > @ Michael, should we release 1.0.8a version? > > No please not if it breaks things. > > Can you maybe ask upstream for the patch then? > His changes to the branch are in revision 676 but he later > removed some of them in 683 so I am bit confused about the > status of this in the branch.
Exactly, even the upstream Changelog entries are totally confusing and haven't mentioned anywhere clearly that it fixes the concerned CVE. But, still I will try to ask him for a patch. I am on vacation from day after tomorrow, so Michael, could you please take care of this bug? Regards Varun -- Varun Hiremath Undergraduate Student, Aerospace Engineering Department, Indian Institute of Technology Madras, Chennai, India --------------------------------------- Homepage : http://varun.travisbsd.org _______________________________________________ pkg-java-maintainers mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
