Hi Bernd, On Mon, Apr 01, 2019 at 12:41:30AM +0200, Bernd Zeimetz wrote: > Hi, > > On 3/30/19 8:32 AM, Salvatore Bonaccorso wrote: > > Hi Bernd, > > > > On Fri, Mar 29, 2019 at 10:54:50PM +0100, Bernd Zeimetz wrote: > >> Hi Salvatore, > >> > >>> The following vulnerability was published for gpsd, not competely sure > >>> on severity and on if the referenced upstream commit is enough. > >>> Ideally though the fix seems ideal to go to buster. > >> > >> I've tried to get more information out of Upstream, but did not get a > >> reply yet. So I'll prepare an upload with the mentioned commit. Looking > >> trough the commit logs from gpsd it seems to be the only relevant one. > > > > Ack thank you for investigating, I was neither more successfull to > > determine if that's enough. > > > > Cc;ing the security team alias, if anyone has more ideas. > > So I'd go with > https://github.com/bzed/pkg-gpsd/blob/buster/debian/patches/json-cve-fix > > which contains all changes to json.c/.h up to > a399e85c1201400e281f2c1dc29dde21c29b0088 > > from the upstream repository. > > Later changes are not relevant here. > > Any objections?
Makes sense. Once uploaded to unstable, can you ask for an unblock so it will reach buster? Regards, Salvatore
