[Pkg-kde-extras] exiv2 stretch update (CVE-2018-16336)

Salvatore Bonaccorso carnil at debian.org
Sat Oct 27 12:59:13 BST 2018


Hi Roberto,

On Sat, Oct 20, 2018 at 11:10:17PM -0400, Roberto C. Sánchez wrote:
> Hi all,
> 
> I prepared an update of exiv2 for jessie.  The patches I prepared
> applied to the stretch version with only one minor change required.
> 
> The main change is the patch for CVE-2018-16336.  However, I also
> included a tweak to the patch for CVE-2018-10958/CVE-2018-10999 based on
> feedback I received approximately one month after I uploaded the last
> security update for exiv2:
> 
> https://github.com/Exiv2/exiv2/issues/302#issuecomment-408640903
> 
> I have attached a debdiff from version 0.25-3.1+deb9u1 to
> 0.25-3.1+deb9u2 for your review and the actual packages are available
> here:
> 
> https://people.debian.org/~roberto/
> 
> If the package and proposed changes look good, please let me know and I
> can sign and upload the packages and someone on the security team can
> publish the DSA.

Looking at CVE-2018-16336 I feel it does not really warrant a DSA on
it's own. But given you have prepared a targeted fix for the issue,
can I redirect you trough the stretch-pu mechanism and have a fix
included in the next stretch point release?

Regards,
Salvatore



More information about the pkg-kde-extras mailing list