Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1

2017-09-27 Thread Adam D. Barratt 
Control: tags -1 + pending

On Sat, 2017-09-23 at 18:24 +0100, Jonathan Wiltshire wrote:
> Control: tag -1 confirmed
> 
> On Fri, Aug 18, 2017 at 11:35:09AM +0200, Mattias Ellert wrote:
[...]
> > diff -Nru gsoap-2.8.35/debian/changelog gsoap-
> > 2.8.35/debian/changelog
> > --- gsoap-2.8.35/debian/changelog   2016-12-06
> > 09:32:36.0 +0100
> > +++ gsoap-2.8.35/debian/changelog   2017-08-16
> > 11:58:11.0 +0200
> > @@ -1,3 +1,9 @@
> > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
> > +
> > +  * Fix for CVE-2017-9765
> > +
> > + -- Mattias Ellert   Wed, 16 Aug
> > 2017 11:58:11 +0200
> 
> Please go ahead, but a little more detail in your changelog (what is
> CVE-2017-9765 and what changed to fix it?) is always appreciated.
> 

Uploaded and flagged for acceptance.

Regards,

Adam

Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1

2017-09-24 Thread Salvatore Bonaccorso 
Hi Jonathan,

On Sat, Sep 23, 2017 at 06:24:49PM +0100, Jonathan Wiltshire wrote:
> Control: tag -1 confirmed
> 
> On Fri, Aug 18, 2017 at 11:35:09AM +0200, Mattias Ellert wrote:
> > fre 2017-08-18 klockan 08:46 +0100 skrev Adam D. Barratt:
> > > On 2017-08-18 8:01, Mattias Ellert wrote:
> > > > tor 2017-08-17 klockan 21:59 +0100 skrev Adam D. Barratt:
> > > > > On Thu, 2017-08-17 at 20:22 +0200, Martin Zobel-Helas wrote:
> > > > > > Hi,
> > > > > > 
> > > > > > On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote:
> > > > > 
> > > > > [...]
> > > > > > > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
> > > > > > > +
> > > > > > > +  * Fix for CVE-2017-9765 (Closes: )
> > > 
> > > [...]
> > > > > Is there actually a Debian bug for the issue? I couldn't find one.
> 
> I've been trying to unpick exactly whether this issue is fixed in unstable
> or not. I can only assume so since the security tracker claims it so
> (https://security-tracker.debian.org/tracker/CVE-2017-9765) but your
> changelog for 2.8.49-1 doesn't mention the CVE. I presume the CVE wasn't
> yet public before you fixed it?

Yes, the issue was fixed upstream in 2.8.48, cf.
https://www.genivia.com/changelog.html#Version_2.8.48_upd_(06/21/2017).
The CVE is not mentioned in upstream changelog, and presumably was as
well only assigned later.

Regards,
Salvatore

Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1

2017-09-23 Thread Jonathan Wiltshire 
Control: tag -1 confirmed

On Fri, Aug 18, 2017 at 11:35:09AM +0200, Mattias Ellert wrote:
> fre 2017-08-18 klockan 08:46 +0100 skrev Adam D. Barratt:
> > On 2017-08-18 8:01, Mattias Ellert wrote:
> > > tor 2017-08-17 klockan 21:59 +0100 skrev Adam D. Barratt:
> > > > On Thu, 2017-08-17 at 20:22 +0200, Martin Zobel-Helas wrote:
> > > > > Hi,
> > > > > 
> > > > > On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote:
> > > > 
> > > > [...]
> > > > > > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
> > > > > > +
> > > > > > +  * Fix for CVE-2017-9765 (Closes: )
> > 
> > [...]
> > > > Is there actually a Debian bug for the issue? I couldn't find one.

I've been trying to unpick exactly whether this issue is fixed in unstable
or not. I can only assume so since the security tracker claims it so
(https://security-tracker.debian.org/tracker/CVE-2017-9765) but your
changelog for 2.8.49-1 doesn't mention the CVE. I presume the CVE wasn't
yet public before you fixed it?

This is why a tracking bug against the package, even after the event,
is helpful when someone who has no other connection with the package gets a
request to look into it.

(Incidentally the fixed versions on #859932 confused me until I realised
that you're including previous uploads in your changes every time you
upload. You really needn't do that, it just ends up generating lies in the
version tracking.)


> diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog
> --- gsoap-2.8.35/debian/changelog 2016-12-06 09:32:36.0 +0100
> +++ gsoap-2.8.35/debian/changelog 2017-08-16 11:58:11.0 +0200
> @@ -1,3 +1,9 @@
> +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
> +
> +  * Fix for CVE-2017-9765
> +
> + -- Mattias Ellert   Wed, 16 Aug 2017 11:58:11 
> +0200

Please go ahead, but a little more detail in your changelog (what is
CVE-2017-9765 and what changed to fix it?) is always appreciated.

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1

2017-08-18 Thread Adam D. Barratt 

On 2017-08-18 10:35, Mattias Ellert wrote:

I am sorry to have upset you,


I'm not upset, just confused. Mostly as to why one would default to 
assuming that an upload to stable is /technically/ a fundamentally 
different beast to an upload to unstable or experimental.



but to me it was obvious the bug should
be closed by the update,


The release.debian.org bug is tracking a process. That process is 
complete when your fixed package is in {,old}stable, not simply because 
you uploaded.



and the instruction did not say it should not
be. Maybe you could add a sentence stating this in the instructions.


Which instructions? 
https://lists.debian.org/debian-devel-announce/2016/11/msg9.html is 
the most recent and closest I can think of. While that doesn't 
explicitly say not to close the release.d.o bug in your upload, it also 
aims to give positive pointers so the fact that it doesn't say to do so 
implies that you should not.


(The Dev Ref section on stable doesn't specify anything at all in terms 
of how the package should be structured afaics, so again I'd have 
assumed that the default was to use the changelog as usual.)


Regards,

Adam

Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1

2017-08-18 Thread Mattias Ellert 
fre 2017-08-18 klockan 08:46 +0100 skrev Adam D. Barratt:
> On 2017-08-18 8:01, Mattias Ellert wrote:
> > tor 2017-08-17 klockan 21:59 +0100 skrev Adam D. Barratt:
> > > On Thu, 2017-08-17 at 20:22 +0200, Martin Zobel-Helas wrote:
> > > > Hi,
> > > > 
> > > > On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote:
> > > 
> > > [...]
> > > > > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
> > > > > +
> > > > > +  * Fix for CVE-2017-9765 (Closes: )
> 
> [...]
> > > Is there actually a Debian bug for the issue? I couldn't find one.
> 
> [...]
> > I don't understand the last comment here.
> 
> Apparently not.
> 
> > Of course there is a bug - it is this one.
> > 
> > The reason the debdiff in the request says "Closes: ", is a
> > chicken-and-egg problem. You are supposed to attach the debdiff to the
> > request, but before you make the request its BTS number does not yet
> > exists - so you can't include it in the attachment at creation time.
> > After I got the confirmation back with the number I updated the
> > changelog with the bug number.
> 
> *NO*. There is no chicken and egg problem here at all.
> 
> The bug number you would close in the changelog relates to a bug filed 
> _against gsoap_, the same as it would for any other upload. You should 
> never be closing bugs filed against release.debian.org in an upload of 
> your package. You're fixing a bug in your package, the release.d.o bug 
> is a means of tracking that, not a thing fixed in the upload.
> 
> If there is no bug filed against gsoap that relates to the issue, then 
> there should be no bug closed in the changelog.
> 
> Regards,
> 
> Adam

Closes statement removed as requested.

I am sorry to have upset you, but to me it was obvious the bug should
be closed by the update, and the instruction did not say it should not
be. Maybe you could add a sentence stating this in the instructions.

Mattias
diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog
--- gsoap-2.8.35/debian/changelog	2016-12-06 09:32:36.0 +0100
+++ gsoap-2.8.35/debian/changelog	2017-08-16 11:58:11.0 +0200
@@ -1,3 +1,9 @@
+gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
+
+  * Fix for CVE-2017-9765
+
+ -- Mattias Ellert   Wed, 16 Aug 2017 11:58:11 +0200
+
 gsoap (2.8.35-4) unstable; urgency=medium
 
   * Rebuild for OpenSSL 1.1.0
diff -Nru gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch
--- gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch	1970-01-01 01:00:00.0 +0100
+++ gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch	2017-08-16 11:54:02.0 +0200
@@ -0,0 +1,54 @@
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c
+--- gsoap-2.8.orig/gsoap/stdsoap2.c	2016-04-03 03:33:31.0 +0200
 gsoap-2.8/gsoap/stdsoap2.c	2017-08-01 14:51:44.141083499 +0200
+@@ -1711,17 +1711,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+   char *s = buf;
+-  int i = sizeof(buf);
+-  soap_wchar c = soap_getchar(soap);
+-  /* This is a quick way to parse XML PI and we could use a callback instead to
+-   * enable applications to intercept processing instructions */
+-  while ((int)c != EOF && c != '?')
+-  { if (--i > 0)
++  size_t i = sizeof(buf);
++  soap_wchar c;
++  /* Parse the XML PI encoding declaration and look for  */
++  while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++  { if (i > 1)
+ { if (soap_blank(c))
+ c = ' ';
+   *s++ = (char)c;
++  i--;
+ }
+-c = soap_getchar(soap);
+   }
+   *s = '\0';
+   DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf));
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.cpp gsoap-2.8/gsoap/stdsoap2.cpp
+--- gsoap-2.8.orig/gsoap/stdsoap2.cpp	2016-04-03 03:33:31.0 +0200
 gsoap-2.8/gsoap/stdsoap2.cpp	2017-08-01 14:51:44.143083498 +0200
+@@ -1711,17 +1711,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+   char *s = buf;
+-  int i = sizeof(buf);
+-  soap_wchar c = soap_getchar(soap);
+-  /* This is a quick way to parse XML PI and we could use a callback instead to
+-   * enable applications to intercept processing instructions */
+-  while ((int)c != EOF && c != '?')
+-  { if (--i > 0)
++  size_t i = sizeof(buf);
++  soap_wchar c;
++  /* Parse the XML PI encoding declaration and look for  */
++  while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++  { if (i > 1)
+ { if (soap_blank(c))
+ c = ' ';
+   *s++ = (char)c;
++  i--;
+ }
+-c = soap_getchar(soap);
+   }
+   *s = '\0';
+   DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf));
diff -Nru gsoap-2.8.35/debian/patches/series gsoap-2.8.35/debian/patches/series
--- gsoap-2.8.35/debian/patches/series	2016-09-26 14:49:01.0 +0200
+++ gsoap-2.8.35/debian/patches/series	2017-08-16 11:57:36.0 +0200
@@ -10,3 +10,6 @@
 
 # Backport fix from upstream
 gsoap-backport.patch
+
+# CVE-2017-9765
+gsoap-CVE-2017-9765.patch


signature.asc

Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1

2017-08-18 Thread Adam D. Barratt 

On 2017-08-18 8:01, Mattias Ellert wrote:

tor 2017-08-17 klockan 21:59 +0100 skrev Adam D. Barratt:

On Thu, 2017-08-17 at 20:22 +0200, Martin Zobel-Helas wrote:
> Hi,
>
> On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote:

[...]
> > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
> > +
> > +  * Fix for CVE-2017-9765 (Closes: )

[...]

Is there actually a Debian bug for the issue? I couldn't find one.

[...]

I don't understand the last comment here.


Apparently not.


Of course there is a bug - it is this one.

The reason the debdiff in the request says "Closes: ", is a
chicken-and-egg problem. You are supposed to attach the debdiff to the
request, but before you make the request its BTS number does not yet
exists - so you can't include it in the attachment at creation time.
After I got the confirmation back with the number I updated the
changelog with the bug number.


*NO*. There is no chicken and egg problem here at all.

The bug number you would close in the changelog relates to a bug filed 
_against gsoap_, the same as it would for any other upload. You should 
never be closing bugs filed against release.debian.org in an upload of 
your package. You're fixing a bug in your package, the release.d.o bug 
is a means of tracking that, not a thing fixed in the upload.


If there is no bug filed against gsoap that relates to the issue, then 
there should be no bug closed in the changelog.


Regards,

Adam

Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1

2017-08-18 Thread Martin Zobel-Helas 
Hi, 

On Fri Aug 18, 2017 at 09:01:04 +0200, Mattias Ellert wrote:
> tor 2017-08-17 klockan 21:59 +0100 skrev Adam D. Barratt:
> > On Thu, 2017-08-17 at 20:22 +0200, Martin Zobel-Helas wrote:
> > > Hi, 
> > > 
> > > On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote:
> > 
> > [...]
> > > > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
> > > > +
> > > > +  * Fix for CVE-2017-9765 (Closes: )
> > > > +
> > > > + -- Mattias Ellert   Wed, 16 Aug 2017 
> > > > 11:58:11 +0200
> > > > +
> > > >  gsoap (2.8.35-4) unstable; urgency=medium
> > > 
> > > once this changelog has a proper Closes line with bug-number this patch
> > > looks sane to me.
> > 
> > Is there actually a Debian bug for the issue? I couldn't find one.
> > 
> > Regards,
> > 
> > Adam
> > 
> 
> Hi!
> 
> I don't understand the last comment here.
> Of course there is a bug - it is this one.
> 
> The reason the debdiff in the request says "Closes: ", is a
> chicken-and-egg problem. You are supposed to attach the debdiff to the
> request, but before you make the request its BTS number does not yet
> exists - so you can't include it in the attachment at creation time.
> After I got the confirmation back with the number I updated the
> changelog with the bug number.

No, this is the bug report für the p-u upload. What the release team is
looking for is a (RC) bug assigned to the package, that describes the
real issue, linking the CVEs, ...

Cheers,
Martin
-- 
 Martin Zobel-Helas Debian System Administrator
 Debian & GNU/Linux Developer   Debian Listmaster
 http://about.me/zobel   Debian Webmaster
 GPG Fingerprint:  6B18 5642 8E41 EC89 3D5D  BDBB 53B1 AC6D B11B 627B

Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1

2017-08-18 Thread Mattias Ellert 
tor 2017-08-17 klockan 21:59 +0100 skrev Adam D. Barratt:
> On Thu, 2017-08-17 at 20:22 +0200, Martin Zobel-Helas wrote:
> > Hi, 
> > 
> > On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote:
> 
> [...]
> > > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
> > > +
> > > +  * Fix for CVE-2017-9765 (Closes: )
> > > +
> > > + -- Mattias Ellert   Wed, 16 Aug 2017 
> > > 11:58:11 +0200
> > > +
> > >  gsoap (2.8.35-4) unstable; urgency=medium
> > 
> > once this changelog has a proper Closes line with bug-number this patch
> > looks sane to me.
> 
> Is there actually a Debian bug for the issue? I couldn't find one.
> 
> Regards,
> 
> Adam
> 

Hi!

I don't understand the last comment here.
Of course there is a bug - it is this one.

The reason the debdiff in the request says "Closes: ", is a
chicken-and-egg problem. You are supposed to attach the debdiff to the
request, but before you make the request its BTS number does not yet
exists - so you can't include it in the attachment at creation time.
After I got the confirmation back with the number I updated the
changelog with the bug number.

Mattias


signature.asc
Description: This is a digitally signed message part

Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1

2017-08-17 Thread Adam D. Barratt 
On Thu, 2017-08-17 at 20:22 +0200, Martin Zobel-Helas wrote:
> Hi, 
> 
> On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote:
[...]
> > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
> > +
> > +  * Fix for CVE-2017-9765 (Closes: )
> > +
> > + -- Mattias Ellert   Wed, 16 Aug 2017 
> > 11:58:11 +0200
> > +
> >  gsoap (2.8.35-4) unstable; urgency=medium
> 
> once this changelog has a proper Closes line with bug-number this patch
> looks sane to me.

Is there actually a Debian bug for the issue? I couldn't find one.

Regards,

Adam

Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1

2017-08-17 Thread Martin Zobel-Helas 
Hi, 

On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote:
> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> This is a proposal to fix CVE-2017-9765 in stretch.
> debdiff is attached.
> 
> Mattias Ellert

> diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog
> --- gsoap-2.8.35/debian/changelog 2016-12-06 09:32:36.0 +0100
> +++ gsoap-2.8.35/debian/changelog 2017-08-16 11:58:11.0 +0200
> @@ -1,3 +1,9 @@
> +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
> +
> +  * Fix for CVE-2017-9765 (Closes: )
> +
> + -- Mattias Ellert   Wed, 16 Aug 2017 11:58:11 
> +0200
> +
>  gsoap (2.8.35-4) unstable; urgency=medium

once this changelog has a proper Closes line with bug-number this patch
looks sane to me.

Cheers,
Martin
(former stable release manager)

-- 
 Martin Zobel-Helas Debian System Administrator
 Debian & GNU/Linux Developer   Debian Listmaster
 http://about.me/zobel   Debian Webmaster
 GPG Fingerprint:  6B18 5642 8E41 EC89 3D5D  BDBB 53B1 AC6D B11B 627B

Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1

2017-08-17 Thread Mattias Ellert 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

This is a proposal to fix CVE-2017-9765 in stretch.
debdiff is attached.

Mattias Ellert
diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog
--- gsoap-2.8.35/debian/changelog	2016-12-06 09:32:36.0 +0100
+++ gsoap-2.8.35/debian/changelog	2017-08-16 11:58:11.0 +0200
@@ -1,3 +1,9 @@
+gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
+
+  * Fix for CVE-2017-9765 (Closes: )
+
+ -- Mattias Ellert   Wed, 16 Aug 2017 11:58:11 +0200
+
 gsoap (2.8.35-4) unstable; urgency=medium
 
   * Rebuild for OpenSSL 1.1.0
diff -Nru gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch
--- gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch	1970-01-01 01:00:00.0 +0100
+++ gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch	2017-08-16 11:54:02.0 +0200
@@ -0,0 +1,54 @@
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c
+--- gsoap-2.8.orig/gsoap/stdsoap2.c	2016-04-03 03:33:31.0 +0200
 gsoap-2.8/gsoap/stdsoap2.c	2017-08-01 14:51:44.141083499 +0200
+@@ -1711,17 +1711,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+   char *s = buf;
+-  int i = sizeof(buf);
+-  soap_wchar c = soap_getchar(soap);
+-  /* This is a quick way to parse XML PI and we could use a callback instead to
+-   * enable applications to intercept processing instructions */
+-  while ((int)c != EOF && c != '?')
+-  { if (--i > 0)
++  size_t i = sizeof(buf);
++  soap_wchar c;
++  /* Parse the XML PI encoding declaration and look for  */
++  while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++  { if (i > 1)
+ { if (soap_blank(c))
+ c = ' ';
+   *s++ = (char)c;
++  i--;
+ }
+-c = soap_getchar(soap);
+   }
+   *s = '\0';
+   DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf));
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.cpp gsoap-2.8/gsoap/stdsoap2.cpp
+--- gsoap-2.8.orig/gsoap/stdsoap2.cpp	2016-04-03 03:33:31.0 +0200
 gsoap-2.8/gsoap/stdsoap2.cpp	2017-08-01 14:51:44.143083498 +0200
+@@ -1711,17 +1711,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+   char *s = buf;
+-  int i = sizeof(buf);
+-  soap_wchar c = soap_getchar(soap);
+-  /* This is a quick way to parse XML PI and we could use a callback instead to
+-   * enable applications to intercept processing instructions */
+-  while ((int)c != EOF && c != '?')
+-  { if (--i > 0)
++  size_t i = sizeof(buf);
++  soap_wchar c;
++  /* Parse the XML PI encoding declaration and look for  */
++  while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++  { if (i > 1)
+ { if (soap_blank(c))
+ c = ' ';
+   *s++ = (char)c;
++  i--;
+ }
+-c = soap_getchar(soap);
+   }
+   *s = '\0';
+   DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf));
diff -Nru gsoap-2.8.35/debian/patches/series gsoap-2.8.35/debian/patches/series
--- gsoap-2.8.35/debian/patches/series	2016-09-26 14:49:01.0 +0200
+++ gsoap-2.8.35/debian/patches/series	2017-08-16 11:57:36.0 +0200
@@ -10,3 +10,6 @@
 
 # Backport fix from upstream
 gsoap-backport.patch
+
+# CVE-2017-9765
+gsoap-CVE-2017-9765.patch


signature.asc
Description: This is a digitally signed message part