Bug#876535: openjpeg2: Incoorporate lost changelogs (and possibly changes) for NMUs 2.1.2-1.1, 2.1.2-1.2 and 2.1.2-1.3
Hi Mathieu, On Mon, Sep 25, 2017 at 10:12:31AM +0200, Mathieu Malaterre wrote: > Control: tags -1 pending > > Hi Salvatore, > > On Sat, Sep 23, 2017 at 1:59 PM, Salvatore Bonaccorso> wrote: > > Source: openjpeg2 > > Version: 2.2.0-1 > > Severity: normal > > > > Hi Mathieu, > > > > There was an update for openjpeg2 not incoorporating the NMU changelog > > for 2.1.2-1.1, 2.1.2-1.2 and 2.1.2-1.3. Please consider incorporating > > those again (and double check no change was lost, I guess not that all > > should in meanwhile be included in 2.2.0, but for #851422 I'm unsure > > if it was fully covered, see the respective upstream issues which only > > partially landed in 2.2.0). > > > > Specifically there were some CVEs addressed, which are hopefully still > > be fixed in 2.2.0-1, the FTBFS defintively seems so. > > > > cut-cut-cut-cut-cut-cut- > > diff -Nru openjpeg2-2.1.2/debian/changelog openjpeg2-2.2.0/debian/changelog > > --- openjpeg2-2.1.2/debian/changelog2017-08-12 15:54:38.0 +0200 > > +++ openjpeg2-2.2.0/debian/changelog2017-09-22 21:51:36.0 +0200 > > @@ -1,26 +1,13 @@ > > -openjpeg2 (2.1.2-1.3) unstable; urgency=medium > > +openjpeg2 (2.2.0-1) unstable; urgency=medium > > > > - * Fix FTFBS (Closes: #871905) > > + * New upstream release. Closes: #872041 > > + * Fix CVE-2016-9113. Closes: #844552 > > + * Fix CVE-2016-9114. Closes: #844553 > > + * Fix CVE-2016-9115. Closes: #844554 > > + * Fix CVE-2016-9116. Closes: #844555 > > + * Fix CVE-2016-9117. Closes: #844556 > > > > - -- Moritz Muehlenhoff Sat, 12 Aug 2017 15:54:38 +0200 > > - > > -openjpeg2 (2.1.2-1.2) unstable; urgency=medium > > - > > - * Non-maintainer upload > > - * Fix CVE-2016-1626, CVE-2016-1628, CVE-2016-5152, CVE-2016-9112 and > > -CVE-2016-9118.patch > > - > > - -- Moritz Muehlenhoff Fri, 11 Aug 2017 22:17:07 +0200 > > - > > -openjpeg2 (2.1.2-1.1) unstable; urgency=medium > > - > > - * Non-maintainer upload. > > - * Add CVE-2016-9572_CVE-2016-9573.patch patch. > > -CVE-2016-9572: NULL pointer dereference in input decoding > > -CVE-2016-9573: Heap out-of-bounds read due to insufficient check in > > -imagetopnm(). (Closes: #851422) > > - > > - -- Salvatore Bonaccorso Sun, 22 Jan 2017 14:18:13 > > +0100 > > + -- Mathieu Malaterre Fri, 22 Sep 2017 21:51:36 +0200 > > > > openjpeg2 (2.1.2-1) unstable; urgency=medium > > cut-cut-cut-cut-cut-cut- > > > > Thanks for your time, double-checking and working on openjpeg2! > > Wow ! That was bad :( Thanks for catching my mistake. Thanks a lot for looking that quickly into this! And thanks for reopening the bugs regarding the 2.2.0-1 stanza, which are still under investigation/not yet fixed. Regards, Salvatore
Bug#876535: openjpeg2: Incoorporate lost changelogs (and possibly changes) for NMUs 2.1.2-1.1, 2.1.2-1.2 and 2.1.2-1.3
Control: tags -1 pending Hi Salvatore, On Sat, Sep 23, 2017 at 1:59 PM, Salvatore Bonaccorsowrote: > Source: openjpeg2 > Version: 2.2.0-1 > Severity: normal > > Hi Mathieu, > > There was an update for openjpeg2 not incoorporating the NMU changelog > for 2.1.2-1.1, 2.1.2-1.2 and 2.1.2-1.3. Please consider incorporating > those again (and double check no change was lost, I guess not that all > should in meanwhile be included in 2.2.0, but for #851422 I'm unsure > if it was fully covered, see the respective upstream issues which only > partially landed in 2.2.0). > > Specifically there were some CVEs addressed, which are hopefully still > be fixed in 2.2.0-1, the FTBFS defintively seems so. > > cut-cut-cut-cut-cut-cut- > diff -Nru openjpeg2-2.1.2/debian/changelog openjpeg2-2.2.0/debian/changelog > --- openjpeg2-2.1.2/debian/changelog2017-08-12 15:54:38.0 +0200 > +++ openjpeg2-2.2.0/debian/changelog2017-09-22 21:51:36.0 +0200 > @@ -1,26 +1,13 @@ > -openjpeg2 (2.1.2-1.3) unstable; urgency=medium > +openjpeg2 (2.2.0-1) unstable; urgency=medium > > - * Fix FTFBS (Closes: #871905) > + * New upstream release. Closes: #872041 > + * Fix CVE-2016-9113. Closes: #844552 > + * Fix CVE-2016-9114. Closes: #844553 > + * Fix CVE-2016-9115. Closes: #844554 > + * Fix CVE-2016-9116. Closes: #844555 > + * Fix CVE-2016-9117. Closes: #844556 > > - -- Moritz Muehlenhoff Sat, 12 Aug 2017 15:54:38 +0200 > - > -openjpeg2 (2.1.2-1.2) unstable; urgency=medium > - > - * Non-maintainer upload > - * Fix CVE-2016-1626, CVE-2016-1628, CVE-2016-5152, CVE-2016-9112 and > -CVE-2016-9118.patch > - > - -- Moritz Muehlenhoff Fri, 11 Aug 2017 22:17:07 +0200 > - > -openjpeg2 (2.1.2-1.1) unstable; urgency=medium > - > - * Non-maintainer upload. > - * Add CVE-2016-9572_CVE-2016-9573.patch patch. > -CVE-2016-9572: NULL pointer dereference in input decoding > -CVE-2016-9573: Heap out-of-bounds read due to insufficient check in > -imagetopnm(). (Closes: #851422) > - > - -- Salvatore Bonaccorso Sun, 22 Jan 2017 14:18:13 +0100 > + -- Mathieu Malaterre Fri, 22 Sep 2017 21:51:36 +0200 > > openjpeg2 (2.1.2-1) unstable; urgency=medium > cut-cut-cut-cut-cut-cut- > > Thanks for your time, double-checking and working on openjpeg2! Wow ! That was bad :( Thanks for catching my mistake.
Bug#876535: openjpeg2: Incoorporate lost changelogs (and possibly changes) for NMUs 2.1.2-1.1, 2.1.2-1.2 and 2.1.2-1.3
Source: openjpeg2 Version: 2.2.0-1 Severity: normal Hi Mathieu, There was an update for openjpeg2 not incoorporating the NMU changelog for 2.1.2-1.1, 2.1.2-1.2 and 2.1.2-1.3. Please consider incorporating those again (and double check no change was lost, I guess not that all should in meanwhile be included in 2.2.0, but for #851422 I'm unsure if it was fully covered, see the respective upstream issues which only partially landed in 2.2.0). Specifically there were some CVEs addressed, which are hopefully still be fixed in 2.2.0-1, the FTBFS defintively seems so. cut-cut-cut-cut-cut-cut- diff -Nru openjpeg2-2.1.2/debian/changelog openjpeg2-2.2.0/debian/changelog --- openjpeg2-2.1.2/debian/changelog2017-08-12 15:54:38.0 +0200 +++ openjpeg2-2.2.0/debian/changelog2017-09-22 21:51:36.0 +0200 @@ -1,26 +1,13 @@ -openjpeg2 (2.1.2-1.3) unstable; urgency=medium +openjpeg2 (2.2.0-1) unstable; urgency=medium - * Fix FTFBS (Closes: #871905) + * New upstream release. Closes: #872041 + * Fix CVE-2016-9113. Closes: #844552 + * Fix CVE-2016-9114. Closes: #844553 + * Fix CVE-2016-9115. Closes: #844554 + * Fix CVE-2016-9116. Closes: #844555 + * Fix CVE-2016-9117. Closes: #844556 - -- Moritz MuehlenhoffSat, 12 Aug 2017 15:54:38 +0200 - -openjpeg2 (2.1.2-1.2) unstable; urgency=medium - - * Non-maintainer upload - * Fix CVE-2016-1626, CVE-2016-1628, CVE-2016-5152, CVE-2016-9112 and -CVE-2016-9118.patch - - -- Moritz Muehlenhoff Fri, 11 Aug 2017 22:17:07 +0200 - -openjpeg2 (2.1.2-1.1) unstable; urgency=medium - - * Non-maintainer upload. - * Add CVE-2016-9572_CVE-2016-9573.patch patch. -CVE-2016-9572: NULL pointer dereference in input decoding -CVE-2016-9573: Heap out-of-bounds read due to insufficient check in -imagetopnm(). (Closes: #851422) - - -- Salvatore Bonaccorso Sun, 22 Jan 2017 14:18:13 +0100 + -- Mathieu Malaterre Fri, 22 Sep 2017 21:51:36 +0200 openjpeg2 (2.1.2-1) unstable; urgency=medium cut-cut-cut-cut-cut-cut- Thanks for your time, double-checking and working on openjpeg2! Regards, Salvatore