On Thu, 2015-03-26 at 00:13 +0000, Jelmer Vernooij wrote: > On Wed, Mar 25, 2015 at 07:59:06AM +0000, Adam D. Barratt wrote: [...] > > On 2015-03-25 1:31, Jelmer Vernooij wrote: > > [...] > > >User: release.debian....@packages.debian.org > > >Usertags: pu > > > > Updates via t-p-u are unblocks; "pu" is intended for stable updates. I > > realise that this apparently isn't clear from the reportbug wording. > > I was told to file a bug when I asked on #debian-release about > uploading to testing-proposed-updates.
Yeah, that's fine; it's just the type of bug which was wrong. :-) > > >I'd like to upload a new version of dulwich to testing-proposed-updates. > > >unstable already has a new upstream version (0.9.8) from an upload in > > >November, and has diverged from testing. > > > > > >This upload would fix two serious security bugs: > > > > > >#780958 CVE-2015-0838: buffer overflow in C implementation of pack > > >apply_delta() > > >#780989 CVE-2014-9706: does not prevent to write files in commits with > > >invalid paths to working tree > > > > +dulwich (0.9.7-3) unstable; urgency=medium > > > > s/unstable/jessie/ :) > Whoops, fixed :) > > > The patches look okay, but according to the BTS metadata both bugs affect > > the package in unstable and are not yet fixed there. If that's correct, > > please fix unstable and then get back to us; if it's not, please fix the > > metadata to indicate where the bugs are fixed. > > The upload for unstable is probably stuck in NEW (behind another change that > required NEW processing). 0.9.8-2 made it out of NEW earlier this morning, judging from the logs. >From a quick look that doesn't obviously include the fixes for the CVEs though. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1427348641.26766.47.ca...@adam-barratt.org.uk
