[Pkg-kde-extras] exiv2 stretch update (CVE-2018-16336)
Salvatore Bonaccorso
carnil at debian.org
Sat Oct 27 12:59:13 BST 2018
Hi Roberto,
On Sat, Oct 20, 2018 at 11:10:17PM -0400, Roberto C. Sánchez wrote:
> Hi all,
>
> I prepared an update of exiv2 for jessie. The patches I prepared
> applied to the stretch version with only one minor change required.
>
> The main change is the patch for CVE-2018-16336. However, I also
> included a tweak to the patch for CVE-2018-10958/CVE-2018-10999 based on
> feedback I received approximately one month after I uploaded the last
> security update for exiv2:
>
> https://github.com/Exiv2/exiv2/issues/302#issuecomment-408640903
>
> I have attached a debdiff from version 0.25-3.1+deb9u1 to
> 0.25-3.1+deb9u2 for your review and the actual packages are available
> here:
>
> https://people.debian.org/~roberto/
>
> If the package and proposed changes look good, please let me know and I
> can sign and upload the packages and someone on the security team can
> publish the DSA.
Looking at CVE-2018-16336 I feel it does not really warrant a DSA on
it's own. But given you have prepared a targeted fix for the issue,
can I redirect you trough the stretch-pu mechanism and have a fix
included in the next stretch point release?
Regards,
Salvatore
More information about the pkg-kde-extras
mailing list