Hi Julian - Thanks for the debdiffs! I've reviewed them and have compiled some feedback...
Debdiff review: * New package versions are wrong. For example, the Oneiric version should be '0.14.1-1ubuntu2'. Please see the version examples at: https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging * Being picky, if I reference the patch origin's URL in the patch tags, I typically don't reference the URL in the changelog, too. This matches the changelog template at the link above. * As an FYI, when we receive a merge request for security sponsoring, we generate a debdiff using the latest source package (possibly from the -security or -updates pockets) and proceed to use the debdiff from there. So, we generally prefer to get debdiffs from the start, but that isn't documented. I wanted to mention it incase it is easier on you to provide a debdiff. Patch backport review: * The backported CVE-2012-2085.patch is in all three releases is missing gajim.thread_interface(p.wait) call in else block of exec_command() * The natty and lucid debdiffs seem to have a missing "jid_tuple = (jid_id,)" in the else block of CVE-2012-2086.patch in chunk @ 654. Additionally, please comment on the level of testing you've done with these patches applied. Thanks! ** Changed in: gajim (Ubuntu Lucid) Status: New => Incomplete ** Changed in: gajim (Ubuntu Natty) Status: New => Incomplete ** Changed in: gajim (Ubuntu Oneiric) Status: New => Incomplete ** Tags added: patch-needswork ** Changed in: gajim (Ubuntu Lucid) Importance: Undecided => Medium ** Changed in: gajim (Ubuntu Natty) Importance: Undecided => Medium ** Changed in: gajim (Ubuntu Oneiric) Importance: Undecided => Medium ** Changed in: gajim (Ubuntu Lucid) Assignee: (unassigned) => Julian Taylor (jtaylor) ** Changed in: gajim (Ubuntu Natty) Assignee: (unassigned) => Julian Taylor (jtaylor) ** Changed in: gajim (Ubuntu Oneiric) Assignee: (unassigned) => Julian Taylor (jtaylor) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/992618 Title: gajim code execution and sql injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gajim/+bug/992618/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
