Bug#951800: CVE-2020-9273: buster affected

[Salvatore Bonaccorso]

Hi Hilmar,

On Wed, Feb 26, 2020 at 06:41:05PM +0100, Salvatore Bonaccorso wrote:
> Hi HIlmar,
> 
> On Tue, Feb 25, 2020 at 06:20:06PM +0100, Hilmar Preuße wrote:
> > On 2/22/20 10:58 PM, Salvatore Bonaccorso wrote:
> > > On Sat, Feb 22, 2020 at 09:29:34PM +0100, Hilmar Preuße wrote:
> > 
> > Hi Salvatore,
> > 
> > >> The fix for this issue (+ patch for two other issues) is already in the
> > >> buster branch on salsa. I planned to upload that ASAP. Not sure if it
> > >> will still happen this week.
> > > 
> > > Yes note I did upload both as (as said had a bit of time to work
> > > acutally on Debian these weekend dedicately). I have not released the
> > > DSA because I really would like to understand if we can verify the
> > > fix. But it his looks unfeasible in reasonable timeframe I will go
> > > ahead with the DSA. 
> > > 
> > Not sure, if I understood you correctly: has 1.3.5b-4+deb9u4 &
> > 1.3.6-4+deb10u4 been released and uploaded by you? I did not see the
> > package yet in the archive.
> > 
> > > That said, I might still miss something.
> 
> First, sorry for late reply, had two quite busy (working) days. I was
> not too clear, sorry about that. Yes, I did work on the update on the
> weekend actually, and was going to push the button, when I noticed
> there was a regression handled upstream. This is the reason I did not
> yet. And I was waiting for upstream to recieve some feedback, but I
> guess here I have to go without because until now I heard not back.
> 
> The upload which will go hit the archive will be both the initial
> commit and the bugfix on top (cf. #952557) so it would be great if you
> can then rebase on top then.
> 
> I realize I very badly communicated in this stance, maybe beeing
> overmotivated at a Debian event.
> 
> Find attached the debdiffs as they are now for release.

The DSA release happened yesterday evening as DSA 4635-1.

Regards,
Salvatore