On Wed, 11 Jan 2017 at 01:46:32 +0000, Simon McVittie wrote: > Subsequent manual testing of the fixes for all those revealed some tricky > issues in error recovery code paths which I fixed in 3.20170110. We'll > see whether that's the final version...
While preparing the backport of this whole mess for jessie, I found another security issue which *is* serious (CVE-2017-0356, an authentication bypass). > I suspect the diff resulting from all this is going to be larger than the > rest of the differences between git.pm in wheezy and git.pm in sid, which > makes me very tempted to recommend backporting the entire git.pm from sid That is my recommendation, and is what went into jessie-security (a DSA should follow soon). Here is a rather large patch stack which pulls in all the fixes from jessie-security (including autopkgtest support and enough build-dependencies to run most of the tests at build-time), plus a couple of unrelated backports from jessie to get the tests to pass: git clone git://git.ikiwiki.info/ -b debian-wheezy http://source.ikiwiki.branchable.com/?p=source.git;a=shortlog;h=refs/heads/debian-wheezy It builds for wheezy in sbuild, and passes autopkgtests on a wheezy VM if you parachute in pkg-perl-autopkgtest_0.19_all.deb from jessie (sorry, making it work without that jessie package is a yak-shave too far). I have not installed it on an actual web server because I don't run oldstable anywhere, but there is a test for CVE-2017-0356, which passes. Alternatively, if you want to abandon the backport approach for this package, I expect that the jessie-security version (the debian-jessie branch in the same git repository) would work fine in wheezy. If you release an updated package for wheezy using git, please let me know where I can fetch the git commits (or I'll use git-import-dsc if necessary). S
