On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote: > Hello. > > I prepared LTS security update for leptonlib. Please review and upload. > You can find debdiff along with the mail. > link: > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc >
Abhijith, I have reviewed and uploaded the package. While you backported the upstream fix, I feel like their approach falls under item #2 of "The Six Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot help but wonder if another vulnerability will be uncovered later that uses different characters that are not being checked. In any event, once you receive the ACCEPT notice from the archive software you should be able to publish the DLA. Regards, -Roberto -- Roberto C. Sánchez