On Sun, Oct 25, 2015 at 11:19:03AM +0100, Kurt Roeckx wrote: > On Sun, Oct 25, 2015 at 01:30:18PM +0900, Ben Hutchings wrote: > > I've looked through the upstream repository for the patches that fix he > > recently announced issues. Quite a few of them turned out not to apply > > to squeeze, or the newer stable releases, and I've updated the security > > tracker accordingly. > > > > I backported the remaining fixes as best I can, and uploaded the source > > package to: > > https://people.debian.org/~benh/packages/squeeze-lts/ > > > > Would you be willing to review this package? > > > > I noticed that you entirely reverted the upstream patch that was > > supposed to fix CVE-2015-7704 and -7705, and then applied a different > > fix for -7704. I think this means -7705 isn't fixed in sid, though the > > security tracker currently says it is. Who's right? > > I can't seem to ge getting much information out of anything from > upstream. Lots of things don't seem to be affecting the 4.2.6 > version. > > From what I currently understand the following don't apply to the > 4.2.6 versions: > CVE-2015-5196
So it seems they renamed CVE-2015-5196 to CVE-2015-7703. Your patch probably makes sense and I should get that fixed in jessie and wheezy too. I'm just wondering why you didn't move the T_Pidfile like upstream did, that part seems to apply. (I have to go now, will look at it later again.) Kurt
