[Pkg-kde-extras] exiv2 stretch update (CVE-2018-16336)
Salvatore Bonaccorso
carnil at debian.org
Sun Nov 4 07:57:11 GMT 2018
Hi Roberto,
On Thu, Nov 01, 2018 at 09:11:38PM -0400, Roberto C. Sánchez wrote:
> On Tue, Oct 30, 2018 at 08:51:49AM +0100, Salvatore Bonaccorso wrote:
> >
> > Yes this is right. There was as well announced
> > https://lists.debian.org/debian-devel-announce/2018/04/msg00007.html
> > for a slightly changed worflow possibility (for the cases one is
> > absolutely confident the upload will be accepted, once can upload in
> > advance, but still submit debdiff and bug to release.d.o).
> >
> So, I went ahead and filed the bug rather than uploading preemptively.
> The bug is #912531. Adam pointed out that the CVE in question is still
> open in unstable. Is there a plan to upload a 0.25-5 version that
> addresses the CVE? Or is there work underway to upload a 0.26 package?
>
> Alternately, I could NMU to unstable based on 0.25-4 to clear the way
> for the stable proposed update of 0.25-3.1+deb9u2. I am happy to do
> what I can to help or to wait if that is what serves the team best.
>
> Please advise.
Right the fix needs to be first in unstable, so either a maintainer
upload for 0.25-4 but I guess the exiv2 maintainer would not object
against a NMU, but I cannot speak for the exiv2 packaging team.
Regards,
Salvatore
More information about the pkg-kde-extras
mailing list