Control: tags -1 - moreinfo On 5/8/21 9:18 PM, Sebastian Ramacher wrote: > On 2021-05-08 07:29:01 +0200, Bas Couwenberg wrote: >> Package: release.debian.org >> Severity: normal >> User: release.debian....@packages.debian.org >> Usertags: unblock >> >> Please unblock package mapserver to fix CVE-2021-32062 as reported in >> #988208. >> >> [ Reason ] >> Fix security issue. >> >> [ Impact ] >> Unfixed security issue. >> >> [ Tests ] >> Upstream CI. >> >> [ Risks ] >> Low, leaf package. >> >> [ Checklist ] >> [x] all changes are documented in the d/changelog >> [x] I reviewed all changes and I approve them >> [x] attach debdiff against the package in testing >> >> [ Other info ] >> 0001-Use-CPLSetConfigOption-CPLGetConfigOption-for-some-C.patch is required >> as a dependency of >> 0001-Address-flaw-in-CGI-mapfile-loading-that-makes-it-po.patch. >> >> unblock mapserver/7.6.2-2 > >> diff -Nru mapserver-7.6.2/debian/changelog mapserver-7.6.2/debian/changelog >> --- mapserver-7.6.2/debian/changelog 2020-12-09 06:01:02.000000000 +0100 >> +++ mapserver-7.6.2/debian/changelog 2021-05-08 07:12:18.000000000 +0200 >> @@ -1,3 +1,12 @@ >> +mapserver (7.6.2-2) unstable; urgency=high >> + >> + * Drop unused lintian overrides. >> + * Add upstream patches to fix CVE-2021-32062. >> + (closes: #988208) >> + * Update symbols file. >> + >> + -- Bas Couwenberg <sebas...@debian.org> Sat, 08 May 2021 07:12:18 +0200 >> + >> mapserver (7.6.2-1) unstable; urgency=medium >> >> * Update symbols for other architectures. >> diff -Nru mapserver-7.6.2/debian/libmapserver2.lintian-overrides >> mapserver-7.6.2/debian/libmapserver2.lintian-overrides >> --- mapserver-7.6.2/debian/libmapserver2.lintian-overrides 2020-08-06 >> 05:34:57.000000000 +0200 >> +++ mapserver-7.6.2/debian/libmapserver2.lintian-overrides 1970-01-01 >> 01:00:00.000000000 +0100 >> @@ -1,3 +0,0 @@ >> -# Cannot easily be fixed >> -file-references-package-build-path * >> - >> diff -Nru mapserver-7.6.2/debian/libmapserver2.symbols >> mapserver-7.6.2/debian/libmapserver2.symbols >> --- mapserver-7.6.2/debian/libmapserver2.symbols 2020-12-09 >> 06:00:39.000000000 +0100 >> +++ mapserver-7.6.2/debian/libmapserver2.symbols 2021-05-08 >> 07:11:08.000000000 +0200 >> @@ -945,6 +945,7 @@ >> msCSVJoinPrepare@Base 6.2.1 >> msCairoCleanup@Base 6.2.1 >> msCalculateScale@Base 6.2.1 >> + msCaseEvalRegex@Base 7.6.2 >> msCaseReplaceSubstring@Base 6.2.1 >> msCheckLabelMinDistance@Base 7.0.0 >> msCheckParentPointer@Base 6.2.1 >> @@ -1418,6 +1419,7 @@ >> msIsGlyphASpace@Base 7.2.0 >> msIsLayerQueryable@Base 6.2.1 >> msIsOuterRing@Base 6.2.1 >> + msIsValidRegex@Base 7.6.2 > > This version is not high enough. The symbols need to be marked as > requiring 7.6.2-2~
There are no rdeps of mapserver in Debian, so no users of the symbols file. > Please remove the moreinfo tag once that fixed version is available in > unstable. mapserver (7.6.2-2) has been uploaded to unstable without further changes to the symbols file. Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
