[Pkg-kde-extras] exiv2 stretch update (CVE-2018-16336)
Roberto C. Sánchez
roberto at debian.org
Mon Oct 29 23:58:39 GMT 2018
On Sat, Oct 27, 2018 at 01:59:13PM +0200, Salvatore Bonaccorso wrote:
> Hi Roberto,
>
> On Sat, Oct 20, 2018 at 11:10:17PM -0400, Roberto C. Sánchez wrote:
> > Hi all,
> >
> > I prepared an update of exiv2 for jessie. The patches I prepared
> > applied to the stretch version with only one minor change required.
> >
> > The main change is the patch for CVE-2018-16336. However, I also
> > included a tweak to the patch for CVE-2018-10958/CVE-2018-10999 based on
> > feedback I received approximately one month after I uploaded the last
> > security update for exiv2:
> >
> > https://github.com/Exiv2/exiv2/issues/302#issuecomment-408640903
> >
> > I have attached a debdiff from version 0.25-3.1+deb9u1 to
> > 0.25-3.1+deb9u2 for your review and the actual packages are available
> > here:
> >
> > https://people.debian.org/~roberto/
> >
> > If the package and proposed changes look good, please let me know and I
> > can sign and upload the packages and someone on the security team can
> > publish the DSA.
>
> Looking at CVE-2018-16336 I feel it does not really warrant a DSA on
> it's own. But given you have prepared a targeted fix for the issue,
> can I redirect you trough the stretch-pu mechanism and have a fix
> included in the next stretch point release?
That sounds like a reasonable approach. Are these the correct
instructions for me to follow?
https://www.debian.org/doc/manuals/developers-reference/ch05.html#upload-stable
Regards,
-Roberto
--
Roberto C. Sánchez
More information about the pkg-kde-extras
mailing list