Bug#933637: Bug#933636: CVE-2019-14934
Hi Francois, On Fri, Jul 31, 2020 at 10:18:23AM +0200, Salvatore Bonaccorso wrote: > Hi Francois, > > On Mon, Feb 10, 2020 at 03:59:22PM -0800, Francois Marier wrote: > > On 2020-02-07 at 10:14:24, Salvatore Bonaccorso wrote: > > > > It looks OK to me. Tagging moreinfo until there's a final diff. > > > > > > Friendly ping, any news? (It's too late now for the upcoming point > > > release though). > > > > It's still on my list, but not a very high priority. Definitely won't happen > > until at least after the Ubuntu 20.04 Debian merge deadline. > > It would now be too late for the 10.5 buster point release, but do you > found time to finalize the debdiff for review for SRM? Then we might > target for 10.6. There are in meanwhile one more CVE which might be included. They are at this time CVE-2019-14267, CVE-2020-9549, CVE-2019-14934 and CVE-2020-20740 which are all marked no-dsa or unimportant (with negligible security impact), but maybe if you still would like to fix those for buster, we can close this report and then open a new one with a revisited debdiff? What do you think? Regards, Salvatore
Bug#933637: Bug#933636: CVE-2019-14934
Hi Francois, On Mon, Feb 10, 2020 at 03:59:22PM -0800, Francois Marier wrote: > On 2020-02-07 at 10:14:24, Salvatore Bonaccorso wrote: > > > It looks OK to me. Tagging moreinfo until there's a final diff. > > > > Friendly ping, any news? (It's too late now for the upcoming point > > release though). > > It's still on my list, but not a very high priority. Definitely won't happen > until at least after the Ubuntu 20.04 Debian merge deadline. It would now be too late for the 10.5 buster point release, but do you found time to finalize the debdiff for review for SRM? Then we might target for 10.6. Regards, Salvatore
Bug#933636: CVE-2019-14934
On Mon, 2020-02-10 at 15:59 -0800, Francois Marier wrote: > On 2020-02-07 at 10:14:24, Salvatore Bonaccorso wrote: > > > It looks OK to me. Tagging moreinfo until there's a final diff. > > > > Friendly ping, any news? (It's too late now for the upcoming point > > release though). > > It's still on my list, but not a very high priority. Definitely won't > happen > until at least after the Ubuntu 20.04 Debian merge deadline. > For the record, we're now planning for the final stretch point release before it moves to LTS. Regards, Adam
Bug#933636: CVE-2019-14934
On 2020-02-07 at 10:14:24, Salvatore Bonaccorso wrote: > > It looks OK to me. Tagging moreinfo until there's a final diff. > > Friendly ping, any news? (It's too late now for the upcoming point > release though). It's still on my list, but not a very high priority. Definitely won't happen until at least after the Ubuntu 20.04 Debian merge deadline. Francois -- https://fmarier.org/
Bug#933636: CVE-2019-14934
Hi Francois, On Tue, Aug 20, 2019 at 09:42:54PM +0100, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On Tue, 2019-08-13 at 23:29 -0700, Francois Marier wrote: > > There is now an additional CVE that affects pdfresurrect in buster > > and > > stretch: > > > > https://security-tracker.debian.org/tracker/CVE-2019-14934 > > > > Neither this one or CVE-2019-14267 are deemed worthy of a DSA > > however. > > > > If you approve the first upload I have prepared for buster and > > stretch, I > > will revise it to include the fix for this second CVE, but I will > > wait for > > your initial approval before putting any more work into this. > > It looks OK to me. Tagging moreinfo until there's a final diff. Friendly ping, any news? (It's too late now for the upcoming point release though). Regards, Salvatore
Processed: Re: Bug#933636: CVE-2019-14934
Processing control commands: > tags -1 + moreinfo Bug #933637 [release.debian.org] buster-pu: package pdfresurrect/0.15-2 Added tag(s) moreinfo. -- 933637: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933637 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#933636: CVE-2019-14934
Processing control commands: > tags -1 + moreinfo Bug #933636 [release.debian.org] stretch-pu: package pdfresurrect/0.12-6 Added tag(s) moreinfo. -- 933636: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933636 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#933636: CVE-2019-14934
Control: tags -1 + moreinfo On Tue, 2019-08-13 at 23:29 -0700, Francois Marier wrote: > There is now an additional CVE that affects pdfresurrect in buster > and > stretch: > > https://security-tracker.debian.org/tracker/CVE-2019-14934 > > Neither this one or CVE-2019-14267 are deemed worthy of a DSA > however. > > If you approve the first upload I have prepared for buster and > stretch, I > will revise it to include the fix for this second CVE, but I will > wait for > your initial approval before putting any more work into this. It looks OK to me. Tagging moreinfo until there's a final diff. Regards, Adam
Bug#933636: CVE-2019-14934
Hi Francois, [Important disclaimer: not part of the release team] On Tue, Aug 13, 2019 at 11:29:55PM -0700, Francois Marier wrote: > There is now an additional CVE that affects pdfresurrect in buster and > stretch: > > https://security-tracker.debian.org/tracker/CVE-2019-14934 > > Neither this one or CVE-2019-14267 are deemed worthy of a DSA however. > > If you approve the first upload I have prepared for buster and stretch, I > will revise it to include the fix for this second CVE, but I will wait for > your initial approval before putting any more work into this. If you are confident with all of the changes that they would be accepted, then you even can already proceeed. Important is though that you provide the bugreport and a corresponding debdiff to the SRM. See the announcement on the new workflow: https://lists.debian.org/debian-devel-announce/2018/04/msg7.html Hope this helps! Regards, Salvatore
Bug#933636: CVE-2019-14934
There is now an additional CVE that affects pdfresurrect in buster and stretch: https://security-tracker.debian.org/tracker/CVE-2019-14934 Neither this one or CVE-2019-14267 are deemed worthy of a DSA however. If you approve the first upload I have prepared for buster and stretch, I will revise it to include the fix for this second CVE, but I will wait for your initial approval before putting any more work into this. Francois -- https://fmarier.org/