On Sat, Oct 27, 2018 at 01:59:13PM +0200, Salvatore Bonaccorso wrote: > Hi Roberto, > > On Sat, Oct 20, 2018 at 11:10:17PM -0400, Roberto C. Sánchez wrote: > > Hi all, > > > > I prepared an update of exiv2 for jessie. The patches I prepared > > applied to the stretch version with only one minor change required. > > > > The main change is the patch for CVE-2018-16336. However, I also > > included a tweak to the patch for CVE-2018-10958/CVE-2018-10999 based on > > feedback I received approximately one month after I uploaded the last > > security update for exiv2: > > > > https://github.com/Exiv2/exiv2/issues/302#issuecomment-408640903 > > > > I have attached a debdiff from version 0.25-3.1+deb9u1 to > > 0.25-3.1+deb9u2 for your review and the actual packages are available > > here: > > > > https://people.debian.org/~roberto/ > > > > If the package and proposed changes look good, please let me know and I > > can sign and upload the packages and someone on the security team can > > publish the DSA. > > Looking at CVE-2018-16336 I feel it does not really warrant a DSA on > it's own. But given you have prepared a targeted fix for the issue, > can I redirect you trough the stretch-pu mechanism and have a fix > included in the next stretch point release?
That sounds like a reasonable approach. Are these the correct instructions for me to follow? https://www.debian.org/doc/manuals/developers-reference/ch05.html#upload-stable Regards, -Roberto -- Roberto C. Sánchez _______________________________________________ pkg-kde-extras mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-kde-extras
