Bug#924610: Bug#924609: Ports of CVE patches from Debian LTS for libsdl1.2
Moritz Mühlenhoff
jmm at inutil.org
Mon Apr 29 21:30:21 BST 2019
On Mon, Apr 29, 2019 at 04:56:27PM +0200, Felix Geyer wrote:
> Hi,
>
> On 24.04.19 21:33, Salvatore Bonaccorso wrote:
> > Hi Kari,
> >
> > On Wed, Apr 24, 2019 at 07:15:44PM +0300, Kari Pahula wrote:
> > > Hi.
> > >
> > > I've ported the CVE patches from Debian LTS for libsdl1.2 in unstable.
> > First thanks for working on the issues!
> >
> > I have not reviewed your patches, but just a remark. Never just
> > forward-port a patchset from an older suite to newer (although the
> > version is identical here).
> >
> > Furthermore as Moritz pointed out, at time of writing the bugreport,
> > only some of the bugs got patches, but not all were merged upstream,
> > several of the CVEs got later on upstream patches rather then
> > previously linked ones from the bugzilla. We should base the upload
> > based on the current upstream patches which by now should be complete
> > (but double check the updated references in the security-tracker).
>
>
> Unfortunately there are still some bug reports without merged fixes.
> I've kept the Debian security tracker up-to-date in this regard
> (the CVEs with committed patches have a link to them).
For sdl-image1.2 we can already go ahead with an unstable upload, right?
The only issue affecting it, was merged.
Cheers,
Moritz
More information about the Pkg-sdl-maintainers
mailing list