Martin Pitt <[EMAIL PROTECTED]> wrote: > Package: libtiff4 > Version: 3.7.2-2 > Severity: critical > Tags: security > > Hi! > > Libtiff is vulnerable to another exploitable segfault, see > > http://bugzilla.remotesensing.org/show_bug.cgi?id=843 > > for details. > > However, please don't take the patch attached to that bug report, it's > incomplete. Upstream CVS has the complete patch, you can also grab it > from > > http://bugs.gentoo.org/attachment.cgi?id=58276
Thanks. Debian Debian security: I am leaving today for vacation and will be completely unreachable for at least a day or two. I should be able to deal with the current version today before I leave, so no NMU should be necessary for the version in sid/sarge. I don't have a way right now to deal with the version in woody, so I'd have to request that the security team take care of it as they have done in the past. I won't have time to deal with it today before I leave, I'm afraid. > For Sid you should probably just package the new upstream version, but > for Sarge the patch is fine (I already ported it to 3.6.1 for Ubuntu's > releases and tested it). Um, sid already has the latest upstream version, so I'm not sure what you mean, unless 3.7.3 is about to be released. I follow the upstream mailing list though and I haven't heard about it. Am I missing something? Breezy also has the 3.7.2-2ubuntu1 which differs from the debian version only in that it has already undergone the C++ ABI transition (for libtiffxx0). Martin, will you take care of applying this patch to the Breezy version? -- Jay Berkenbilt <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
