Hi Sebastiaan, On Wed, Jan 08, 2014 at 11:15:56PM +0100, Sebastiaan Couwenberg wrote: > Hi Salvatore, > > On 01/08/2014 10:09 AM, Salvatore Bonaccorso wrote: > > On Wed, Jan 08, 2014 at 08:40:35AM +0100, Sebastiaan Couwenberg wrote: > >> On 01/08/2014 08:25 AM, Salvatore Bonaccorso wrote: > >>> If you fix the vulnerability please also make sure to include the > >>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > >> > >> The new mapserver packages were prepared before the CVE was available. > > I've prepared new mapserver packages for squeeze and wheezy with only > the fix for this CVE, the new stable upstream release route I initially > took is not proper to fix this issue. > > mapserver (6.0.1-3.2+deb7u2) for wheezy: > > http://mentors.debian.net/debian/pool/main/m/mapserver/mapserver_6.0.1-3.2+deb7u2.dsc > > mapserver (5.6.5-2+squeeze3) for squeeze: > > http://mentors.debian.net/debian/pool/main/m/mapserver/mapserver_5.6.5-2+squeeze3.dsc > > The squeeze package contained debhelper.log files in the debian/ > directory, which caused problems for clean pbuilder builds so they were > removed. And dpatch insisted in changing the permissions. I've included > these changes in the squeeze package too. > > >>> Please adjust the affected versions in the BTS as needed, at least > >>> unstable from looking at source seems affected. > >> > >> Unstable is no longer affect with the upload of mapserver 6.4.1, wheezy > >> and squeeze still are, but the proposed updates for both are waiting for > >> feedback from the release team: > > > > Could you clarify if second commit referenced in > > > > https://github.com/mapserver/mapserver/issues/4834 > > (WFS-2 specific fixes for postgis time sql injections (#4834,#4815)) > > > > is also needed? Is this relevant for Debian? > > No, the WFS-2 specific commit shouldn't be relevant for Debian yet. > > The vulnerability was discovered during the implementation of WFS 2.0 > support in MapServer. That support only lives in the master branch for > now and will be included in the next major upstream release.
Okay thanks for this explanation. Regarding the upload for security: We have tagged this issue 'no-dsa'[1] meaning that no DSA is planned for this vulnerability only. So if you are planning to do a (old)stable-proposed-updates upload, the above can be included there (either by updating to a update to a upstream version as you propose or by an isolated patch; depends on what release teams would like to have for these two opu and pu requests). [1] https://security-tracker.debian.org/tracker/CVE-2013-7262 Thanks again for the quick followups, Regards, Salvatore
signature.asc
Description: Digital signature
_______________________________________________ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
