On Mon, 2016-10-17 at 21:25 +0200, Anton Gladky wrote: > libiberty needs to be updated in Jessie, because the newer version > fixes many security issues:
Please file this as an appropriately-tagged bug against release.debian.org; mails to the list have a tendency to get lost. > CVE-2016-4487 CVE-2016-4488 CVE-2016-4489 CVE-2016-4490 > CVE-2016-4492 CVE-2016-4493 CVE-2016-2226 CVE-2016-6131 > > Also libiberty is statically linked against "ht" which is also > should be updated in order to fix same CVEs, becuase ht used > embedded copy of libiberty (#840358). I'm slightly confused here. libiberty is statically linked against something that embeds libiberty? That seems somewhat circular. > Please review an attached patch (filtered). >From a very quick look: +libiberty (20161017-1+deb8u1) jessie-proposed-updates; urgency=medium +libiberty (20161017-1) unstable; urgency=medium That's broken. The upload to stable needs to have a lower version than unstable. diff -Nru libiberty-20141014/debian/compat libiberty-20161017/debian/compat --- libiberty-20141014/debian/compat 2013-11-16 20:38:52.000000000 +0100 +++ libiberty-20161017/debian/compat 2016-02-15 20:15:24.000000000 +0100 @@ -1 +1 @@ -7 +9 [...] -Build-Depends: debhelper (>= 8.0.0), autotools-dev -Standards-Version: 3.9.6 +Build-Depends: debhelper (>= 9), autotools-dev That's not an acceptable change for a stable update. The debdiff also doesn't appear to contain any changes outside of debian/, which makes it impossible to review. Regards, Adam
