Bug#933637: Bug#933636: CVE-2019-14934

2021-03-26 Thread Salvatore Bonaccorso
Hi Francois,

On Fri, Jul 31, 2020 at 10:18:23AM +0200, Salvatore Bonaccorso wrote:
> Hi Francois,
> 
> On Mon, Feb 10, 2020 at 03:59:22PM -0800, Francois Marier wrote:
> > On 2020-02-07 at 10:14:24, Salvatore Bonaccorso wrote:
> > > > It looks OK to me. Tagging moreinfo until there's a final diff.
> > > 
> > > Friendly ping, any news? (It's too late now for the upcoming point
> > > release though).
> > 
> > It's still on my list, but not a very high priority. Definitely won't happen
> > until at least after the Ubuntu 20.04 Debian merge deadline.
> 
> It would now be too late for the 10.5 buster point release, but do you
> found time to finalize the debdiff for review for SRM? Then we might
> target for 10.6.

There are in meanwhile one more CVE which might be included. They are
at this time CVE-2019-14267, CVE-2020-9549, CVE-2019-14934 and
CVE-2020-20740 which are all marked no-dsa or unimportant (with
negligible security impact), but maybe if you still would like to fix
those for buster, we can close this report and then open a new one
with a revisited debdiff?

What do you think?

Regards,
Salvatore



Bug#933637: Bug#933636: CVE-2019-14934

2020-07-31 Thread Salvatore Bonaccorso
Hi Francois,

On Mon, Feb 10, 2020 at 03:59:22PM -0800, Francois Marier wrote:
> On 2020-02-07 at 10:14:24, Salvatore Bonaccorso wrote:
> > > It looks OK to me. Tagging moreinfo until there's a final diff.
> > 
> > Friendly ping, any news? (It's too late now for the upcoming point
> > release though).
> 
> It's still on my list, but not a very high priority. Definitely won't happen
> until at least after the Ubuntu 20.04 Debian merge deadline.

It would now be too late for the 10.5 buster point release, but do you
found time to finalize the debdiff for review for SRM? Then we might
target for 10.6.

Regards,
Salvatore



Bug#933636: CVE-2019-14934

2020-06-15 Thread Adam D. Barratt
On Mon, 2020-02-10 at 15:59 -0800, Francois Marier wrote:
> On 2020-02-07 at 10:14:24, Salvatore Bonaccorso wrote:
> > > It looks OK to me. Tagging moreinfo until there's a final diff.
> > 
> > Friendly ping, any news? (It's too late now for the upcoming point
> > release though).
> 
> It's still on my list, but not a very high priority. Definitely won't
> happen
> until at least after the Ubuntu 20.04 Debian merge deadline.
> 

For the record, we're now planning for the final stretch point release
before it moves to LTS.

Regards,

Adam



Bug#933636: CVE-2019-14934

2020-02-10 Thread Francois Marier
On 2020-02-07 at 10:14:24, Salvatore Bonaccorso wrote:
> > It looks OK to me. Tagging moreinfo until there's a final diff.
> 
> Friendly ping, any news? (It's too late now for the upcoming point
> release though).

It's still on my list, but not a very high priority. Definitely won't happen
until at least after the Ubuntu 20.04 Debian merge deadline.

Francois

-- 
https://fmarier.org/



Bug#933636: CVE-2019-14934

2020-02-07 Thread Salvatore Bonaccorso
Hi Francois,

On Tue, Aug 20, 2019 at 09:42:54PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
> 
> On Tue, 2019-08-13 at 23:29 -0700, Francois Marier wrote:
> > There is now an additional CVE that affects pdfresurrect in buster
> > and
> > stretch:
> > 
> >   https://security-tracker.debian.org/tracker/CVE-2019-14934
> > 
> > Neither this one or CVE-2019-14267 are deemed worthy of a DSA
> > however.
> > 
> > If you approve the first upload I have prepared for buster and
> > stretch, I
> > will revise it to include the fix for this second CVE, but I will
> > wait for
> > your initial approval before putting any more work into this.
> 
> It looks OK to me. Tagging moreinfo until there's a final diff.

Friendly ping, any news? (It's too late now for the upcoming point
release though).

Regards,
Salvatore



Processed: Re: Bug#933636: CVE-2019-14934

2019-08-20 Thread Debian Bug Tracking System
Processing control commands:

> tags -1 + moreinfo
Bug #933637 [release.debian.org] buster-pu: package pdfresurrect/0.15-2
Added tag(s) moreinfo.

-- 
933637: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933637
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems



Processed: Re: Bug#933636: CVE-2019-14934

2019-08-20 Thread Debian Bug Tracking System
Processing control commands:

> tags -1 + moreinfo
Bug #933636 [release.debian.org] stretch-pu: package pdfresurrect/0.12-6
Added tag(s) moreinfo.

-- 
933636: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933636
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems



Bug#933636: CVE-2019-14934

2019-08-20 Thread Adam D. Barratt
Control: tags -1 + moreinfo

On Tue, 2019-08-13 at 23:29 -0700, Francois Marier wrote:
> There is now an additional CVE that affects pdfresurrect in buster
> and
> stretch:
> 
>   https://security-tracker.debian.org/tracker/CVE-2019-14934
> 
> Neither this one or CVE-2019-14267 are deemed worthy of a DSA
> however.
> 
> If you approve the first upload I have prepared for buster and
> stretch, I
> will revise it to include the fix for this second CVE, but I will
> wait for
> your initial approval before putting any more work into this.

It looks OK to me. Tagging moreinfo until there's a final diff.

Regards,

Adam



Bug#933636: CVE-2019-14934

2019-08-14 Thread Salvatore Bonaccorso
Hi Francois,

[Important disclaimer: not part of the release team]

On Tue, Aug 13, 2019 at 11:29:55PM -0700, Francois Marier wrote:
> There is now an additional CVE that affects pdfresurrect in buster and
> stretch:
> 
>   https://security-tracker.debian.org/tracker/CVE-2019-14934
> 
> Neither this one or CVE-2019-14267 are deemed worthy of a DSA however.
> 
> If you approve the first upload I have prepared for buster and stretch, I
> will revise it to include the fix for this second CVE, but I will wait for
> your initial approval before putting any more work into this.

If you are confident with all of the changes that they would be
accepted, then you even can already proceeed. Important is though that
you provide the bugreport and a corresponding debdiff to the SRM.

See the announcement on the new workflow:
https://lists.debian.org/debian-devel-announce/2018/04/msg7.html

Hope this helps!

Regards,
Salvatore



Bug#933636: CVE-2019-14934

2019-08-14 Thread Francois Marier
There is now an additional CVE that affects pdfresurrect in buster and
stretch:

  https://security-tracker.debian.org/tracker/CVE-2019-14934

Neither this one or CVE-2019-14267 are deemed worthy of a DSA however.

If you approve the first upload I have prepared for buster and stretch, I
will revise it to include the fix for this second CVE, but I will wait for
your initial approval before putting any more work into this.

Francois

-- 
https://fmarier.org/