Your message dated Sun, 17 Mar 2013 17:28:53 +0100 with message-id <5145ef45.6070...@thykier.net> and subject line Re: Bug#698925: unblock: glpi/0.83.31-2 has caused the Debian Bug report #698925, regarding unblock: glpi/0.83.31-2 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 698925: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698925 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock Please unblock package glpi This fixes a security issue, and should allow glpi not to be removed from wheezy. Changelog: glpi (0.83.31-2) unstable; urgency=high . * Security fixes: Replace embedded copy of extjs by Debian package, the embedded one contains a flash file built with a vulnerable version of yui (charts.swf). (Closes: #694642) * Urgency high, this is a RC bug Full debdiff attached. Regards, Pierre unblock glpi/0.83.31-2 -- System Information: Debian Release: 6.0.6 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32.55.pollux-grsec (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dashdiff -Nru glpi-0.83.31/debian/changelog glpi-0.83.31/debian/changelog --- glpi-0.83.31/debian/changelog 2012-07-22 21:47:52.000000000 +0200 +++ glpi-0.83.31/debian/changelog 2013-01-25 11:37:11.000000000 +0100 @@ -1,3 +1,13 @@ +glpi (0.83.31-2) unstable; urgency=high + + * Security fixes: + Replace embedded copy of extjs by Debian package, the embedded one + contains a flash file built with a vulnerable version of yui (charts.swf). + (Closes: #694642) + * Urgency high, this is a RC bug + + -- Pierre Chifflier <pol...@debian.org> Fri, 25 Jan 2013 11:37:09 +0100 + glpi (0.83.31-1) unstable; urgency=medium * Imported Upstream version 0.83.31 diff -Nru glpi-0.83.31/debian/control glpi-0.83.31/debian/control --- glpi-0.83.31/debian/control 2012-03-10 11:37:14.000000000 +0100 +++ glpi-0.83.31/debian/control 2013-01-25 11:32:56.000000000 +0100 @@ -15,6 +15,7 @@ ttf-freefont, tinymce, libphp-phpmailer, + libjs-extjs, ${misc:Depends} Description: IT and Asset management software GLPI stands for "Gestionnaire libre de parc informatique", diff -Nru glpi-0.83.31/debian/rules glpi-0.83.31/debian/rules --- glpi-0.83.31/debian/rules 2012-04-28 16:58:14.000000000 +0200 +++ glpi-0.83.31/debian/rules 2013-01-25 11:34:15.000000000 +0100 @@ -67,6 +67,8 @@ rm -rf $(DESTDIR)/usr/share/glpi/lib/phpcas rm -rf $(DESTDIR)/usr/share/glpi/lib/tiny_mce rm -rf $(DESTDIR)/usr/share/glpi/lib/phpmailer + rm -rf $(DESTDIR)/usr/share/glpi/lib/extjs; \ + ln -s /usr/share/javascript/extjs $(DESTDIR)/usr/share/glpi/lib/extjs build-arch: build build-indep: build
--- End Message ---
--- Begin Message ---On 2013-03-06 21:37, Niels Thykier wrote: > [...] > > #694642 got downgraded since last time I looged. I have to admit that I > am considering to just "ignore" the embedded swf issue Wheezy[1] and > call this a day. I know it is not as satisfying for you (or me for that > matter), but I think it is the pragmatic thing to do here. > That said, you can just upload that version to sid; if we change our > minds the fixed version will have had a bit more time in sid. And if > not, then the bug is at least fixed in the start of Jessie. > > ~Niels > > [1] We already got a few "DFSG-incompatible JSON" issues that won't be > fixed in Wheezy. > > Seems like no one disagreed, so closing. ~Niels
--- End Message ---
