[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#827111: jessie-pu: package exim4/4.84.2-2

Hi Adam,

On Mon, Jul 25, 2016 at 06:54:08PM +0100, Adam D. Barratt wrote:
> [CC += team@security]
> 
> On Mon, 2016-07-25 at 19:35 +0200, Andreas Metzler wrote:
> > now we have 4.84.2-1+deb8u1 in stable security and 4.84.2-2 in spu would
> > overwrite it at the next stable release. How do I fix this properly?
> 
> :-(
> 
> The DSA claims -2+deb8u1 was released, but that's clearly incorrect.

yes, please take apologies on that error on our end.

> > a) Redo 4.84.2-2 with 4.84.2-1+deb8u1 merged in
> 
> Packages in p-u have been built on buildds, are already on mirrors and
> may be on users' systems, so this is a no-go
> 
> > b) Release 4.84.2-3 with 4.84.2-1+deb8u1 merged in
> 
> Could we have a debdiff of that option, just to check that we're on the
> same page as to exactly what that means, please?

Since we claimed 4.84.2-2+deb8u1 in the DSA, would it help if we just
redo the update, push the packages? (without further announce, since
that was the claimed version)?

Attached how that would look like with debdiff against 4.84.2-2.

Regards,
Salvatore

diff -Nru exim4-4.84.2/debian/changelog exim4-4.84.2/debian/changelog
--- exim4-4.84.2/debian/changelog	2016-06-13 19:33:16.000000000 +0200
+++ exim4-4.84.2/debian/changelog	2016-07-25 20:11:49.000000000 +0200
@@ -1,3 +1,12 @@
+exim4 (4.84.2-2+deb8u1) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+
+  [ Dominic Hargreaves ]
+  * eximstats: Remove . from @INC [CVE-2016-1238]
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 25 Jul 2016 20:10:44 +0200
+
 exim4 (4.84.2-2) jessie; urgency=medium
 
   * 90_Cutthrough-Fix-bug-with-dot-only-line.patch: JH/38 Fix cutthrough bug
diff -Nru exim4-4.84.2/debian/patches/92_CVE-2016-1238.diff exim4-4.84.2/debian/patches/92_CVE-2016-1238.diff
--- exim4-4.84.2/debian/patches/92_CVE-2016-1238.diff	1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.84.2/debian/patches/92_CVE-2016-1238.diff	2016-07-25 20:11:49.000000000 +0200
@@ -0,0 +1,11 @@
+--- a/src/eximstats.src	2016-07-24 22:29:53.000000000 +0100
++++ b/src/eximstats.src	2016-07-24 22:33:49.763365395 +0100
+@@ -550,6 +550,8 @@
+ 
+ =cut
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
++
+ use integer;
+ use strict;
+ use IO::File;
diff -Nru exim4-4.84.2/debian/patches/series exim4-4.84.2/debian/patches/series
--- exim4-4.84.2/debian/patches/series	2016-06-12 13:36:50.000000000 +0200
+++ exim4-4.84.2/debian/patches/series	2016-07-25 20:11:49.000000000 +0200
@@ -21,3 +21,4 @@
 89_02_Store-the-initial-working-directory.diff
 90_Cutthrough-Fix-bug-with-dot-only-line.patch
 91_Expansions-Fix-crash-in-crypteq-On-OpenBSD-a-bad-sec.patch
+92_CVE-2016-1238.diff
Reply to: