On 30 January 2019 at 13:11, Adam D. Barratt wrote: | On 2019-01-29 11:53, Dirk Eddelbuettel wrote: | > This is a follow-up to the discussion in #919324 and subsequent emails | > with | > Moritz and Salvatore. The two CVEs are genuine and fixed, the issue | > however | > is no a full-blown denial-of-service etc so Moritz suggested a normal | > security upload. | > | > The debdiff is included below, with the distribution changed from | > stretch-security to just stretch. | > | > Happy to upload once you give a green light. (System information | > remove as I | > type this on Ubuntu 18.10 ...) | | Apparently it was already uploaded. | | patches/updated-upstream-changes | 2699 | +++++++++++++++++++++++++++++++++++++++
To unstable, yes - as 1.2.9000-1. But Moritz asked me to also upload to stretch. See https://packages.debian.org/search?keywords=r-cran-readxl | Aside from being big enough to be non-trivial to review, the filename of | that patch isn't ideal. If there are other upstream changes that need | incorporating in future, are you simply planning on appending to that | patch, rather than having separate patches for specific purposes? This is Debian packaging of the CRAN package readxl. It's current upstream version is in better shape. I "have to" run this fix as CVE had been issued. As Moritz (now CCed) suggested that this doesn't need a full blown security upload (no DOS here, just plain segfaults in R when libxls loaded) we went this route. | I noticed that your changelog includes a Closes: for this bug. Please | don't do that. Bugs against release.d.o for stable updates get closed by | us once the package is actually in stable (i.e. after a point release | which includes the update has been released); uploading the package is | some way from the end of the process of the fix being available for end | users. Sorry my bad. I don't security uploads to stable often and am not as smooth as I could be for lack of practice. Is there anything you need correcting so badly that we need a new upload from me? If so can you spell out please in clear detail what needs changing. Many thanks, Dirk | Regards, | | Adam -- http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
