Bug#725359: polarssl: CVE-2013-5914 CVE-2013-5915
Hi, yes, preparing a new 1.2.9 for stable. This also fixes the other outstanding issues with polarssl. Should I upload it to the security queue? Roland -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#725359: polarssl: CVE-2013-5914 CVE-2013-5915
On Wed, Oct 16, 2013 at 10:51:12AM +0200, Roland Stigge wrote: Hi, yes, preparing a new 1.2.9 for stable. This also fixes the other outstanding issues with polarssl. Should I upload it to the security queue? Yes, but please send a debdiff to t...@security.debian.org first Please use 1.2.9-1~deb7u1 for stable-security. Due to a bug in dak on security-master we cannot release a package with the same tarball in oldstable-securit and stable-security. As such, we first need to release 1.2.9-1~deb7u1 for stable-security and 1.2.9-1~deb6u1 for oldstable-security can follow later. Since the 1.2.9 tarball is new in the security archive, the updates need to be built with -sa. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#725359: polarssl: CVE-2013-5914 CVE-2013-5915
Hi, On 16/10/13 17:20, Moritz Muehlenhoff wrote: yes, preparing a new 1.2.9 for stable. This also fixes the other outstanding issues with polarssl. Should I upload it to the security queue? Yes, but please send a debdiff to t...@security.debian.org first See attached polarssl.debdiff: Only debian/changes is changed since all changes are in the upstream tarball only. Please tell if you need a diff of the latter one also. Please use 1.2.9-1~deb7u1 for stable-security. Due to a bug in dak on security-master we cannot release a package with the same tarball in oldstable-securit and stable-security. As such, we first need to release 1.2.9-1~deb7u1 for stable-security and 1.2.9-1~deb6u1 for oldstable-security can follow later. Since the 1.2.9 tarball is new in the security archive, the updates need to be built with -sa. OK, please tell when I should upload. Thanks in advance, Roland diff -ruN polarssl-1.2.8/debian/changelog polarssl-1.2.9/debian/changelog --- polarssl-1.2.8/debian/changelog 2013-06-23 11:11:34.124047388 +0200 +++ polarssl-1.2.9/debian/changelog 2013-10-16 20:15:19.360074536 +0200 @@ -1,3 +1,10 @@ +polarssl (1.2.9-1~deb7u1) stable-security; urgency=low + + * New upstream release +- Fixes CVE-2013-5914 CVE-2013-5915 (Closes: #725359) + + -- Roland Stigge sti...@antcom.de Wed, 16 Oct 2013 20:04:47 +0200 + polarssl (1.2.8-2) unstable; urgency=low * Activate HAVEGE config option manually, needed since 1.2.8
Bug#725359: polarssl: CVE-2013-5914 CVE-2013-5915
On Wed, Oct 16, 2013 at 08:20:07PM +0200, Roland Stigge wrote: Hi, On 16/10/13 17:20, Moritz Muehlenhoff wrote: yes, preparing a new 1.2.9 for stable. This also fixes the other outstanding issues with polarssl. Should I upload it to the security queue? Yes, but please send a debdiff to t...@security.debian.org first See attached polarssl.debdiff: Only debian/changes is changed since all changes are in the upstream tarball only. Please tell if you need a diff of the latter one also. Please use 1.2.9-1~deb7u1 for stable-security. Due to a bug in dak on security-master we cannot release a package with the same tarball in oldstable-securit and stable-security. As such, we first need to release 1.2.9-1~deb7u1 for stable-security and 1.2.9-1~deb6u1 for oldstable-security can follow later. Since the 1.2.9 tarball is new in the security archive, the updates need to be built with -sa. OK, please tell when I should upload. Please go ahead. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#725359: polarssl: CVE-2013-5914 CVE-2013-5915
Package: polarssl Severity: grave Tags: security Justification: user security hole https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-04 https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05 CVE-2013-5915 doesn't sound backportable. Since polarssl has no reverse deps in Wheezy I suggest we update stable to 1.2.9. What do you think? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org