Hi Felix,
On Wed, Nov 05, 2014 at 06:45:09PM +0100, Felix Geyer wrote:
> Control: reopen -1
> Control: found -1 0.11.0-1
>
> Version 0.11.0 does *not* contain the commit that fixes this bug.
Thanks for checking also this version!
> 0.11.0-1 is also wrongly marked as fixed in the security tracker.
Yes and no about the security-tracker. The CVE/bug was fixed in
0.10.0-2.1 which was superseeded by 0.11.0-1 in unstable before
reaching testing. The security-tracker cannot notice that it was fixed
in 0.10.0-2.1 but would not be fixed in 0.11.0-1 (as 0.10.0-2.1 <
0.11.0-1). The security-tracker has the following entry, which now
needs an adjustment depending on the choosen aproach:
CVE-2014-8483 [out-of-bounds read on a heap-allocated array]
RESERVED
{DSA-3063-1}
- quassel 0.10.0-2.1 (bug #766962)
NOTE:
https://github.com/quassel/quassel/commit/8b5ecd226f9208af3074b33d3b7cf5e14f55b138
NOTE: http://bugs.quassel-irc.org/issues/1314
- konversation <unfixed>
NOTE: https://bugs.kde.org/show_bug.cgi?id=210792
> I guess now 0.10.0-2.1 has to be re-uploaded with a different version
> to testing-proposed-updates.
Either that or a 1:0.10.0-2.1 upload again to unstable, and ask the
release team for an unblock of this version. I think the latter would
be preferable as it leaves more changes of updates trough unstable
during the freeze complying with the freeze policy given.
Regards,
Salvatore
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
