[pkg-php-pear] Symfony: Fixes for CVE-2016-4423 and CVE-2016-2403 for sid and experimental in git (WAS: Re: Symfony in stable: Fix for CVE-2016-4423 in git)
dabe at deb.ymc.ch
Wed May 11 08:04:56 UTC 2016
On Tue, 2016-05-10 at 23:48 +0200, Daniel Beyer wrote:
> Hi David,
> I prepared 2.8.6 in branch 2.8, which should be ready for a sid upload.
> With 3.0.6 I have failing tests - I uploaded my work in branch
> wip/dabe/3.0.6 and have a closer look to that tomorrow.
Regarding CVE-2016-4423 and CVE-2016-2403 which are closed by upstream
in 2.8.6 and 3.0.6:
As already mentioned, 2.8.6 in branch 2.8 should be ready for sid.
With 3.0.6 there was a dependency problem in symfony. I circumvented
this by reporting the issue upstream  and cherry-picking my proposed
fix back into our packaging .
The tests for 3.0.6 are still failing in experimental, which is caused
by a too new version of php-phpdocumentor-reflection. This issue is not
new and already present in current 3.0.5+dfsg-1.
Given that the testsuite already is failing and 3.0.6 closes two CVEs, I
suggest to upload wip/dabe/3.0.6 to experimental (note that d/changelog
is still open in wip/dabe/3.0.6 - use "gbp dch --auto --release" on it).
I'm not sure how to get the tests working again with the newer version
of php-phpdocumentor-reflection in experimental, but I'll try to work on
it - yet I'm not sure if I find time for it this week.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part
More information about the pkg-php-pear