On 07/19/2015 01:38 PM, Moritz Mühlenhoff wrote: > On Sun, Jul 19, 2015 at 12:42:41PM +0200, Sebastiaan Couwenberg wrote: >> On 07/19/2015 12:04 PM, Moritz Mühlenhoff wrote: >>> On Wed, Jul 15, 2015 at 10:35:25PM +0200, Sebastiaan Couwenberg wrote: >>>> Dear Security Team, >>>> >>>> FreeXL 1.0.2 was released yesterday, it fixes a recently discovered >>>> security issue. To quote the release announcement: >>>> >>>> " >>>> RedHat maintainers recently discovered a potential security breach >>>> caused by the current version of FreeXL. >>>> >>>> This issue is not very like to happen under ordinary conditions, anyway >>>> a purposely forged XLS document could effectively cause a >>>> multiplication overflow on 32 bit platforms, and this in turn will >>>> subsequently cause a dangerous crash due to an incorrectly sized >>>> memory allocation. >>>> freexl-1.0.2 definitely fixes the issue. >>>> " >>>> >>>> https://groups.google.com/d/msg/spatialite-users/UZ7ivR6ASV0/K_8bjP1or_IJ >>>> >>>> I've uploaded freexl (1.0.2-1) to unstable today, and I've backported >>>> the fix to freexl (1.0.0g-1+deb8u2) and freexl (1.0.0b-1+deb7u2) for >>>> jessie & wheezy respectively. The changes are available in git: >>>> >>>> http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=jessie >>>> http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=wheezy >>>> >>>> Are these OK to upload? >>> >>> Yes, please upload to security-master. Since there have been freexl DSAs >>> for wheezy and jessie before, they don't need to built with "-sa" this >>> time. >> >> Thanks, uploaded. > > Sorry, I was confused by the version number for jessie, while named > 1.0.0g-1+deb8u1 it was actually uploaded to unstable before the freeze. > As a consequence dak rejected the upload, it does need to be rebuild with > "-sa", sorry for the mixup.
Thanks for the notice, I've uploaded a new build with -sa. Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
