On Thu, Mar 26, 2015 at 05:44:01AM +0000, Adam D. Barratt wrote: > On Thu, 2015-03-26 at 00:13 +0000, Jelmer Vernooij wrote: > > On Wed, Mar 25, 2015 at 07:59:06AM +0000, Adam D. Barratt wrote: > [...] > > > On 2015-03-25 1:31, Jelmer Vernooij wrote: > > > [...] > > > >User: release.debian....@packages.debian.org > > > >Usertags: pu > > > > > > Updates via t-p-u are unblocks; "pu" is intended for stable updates. I > > > realise that this apparently isn't clear from the reportbug wording. > > > > I was told to file a bug when I asked on #debian-release about > > uploading to testing-proposed-updates. > > Yeah, that's fine; it's just the type of bug which was wrong. :-) Ah, I see. I'll remember that for next time - thanks. :)
> > > >I'd like to upload a new version of dulwich to testing-proposed-updates. > > > >unstable already has a new upstream version (0.9.8) from an upload in > > > >November, and has diverged from testing. > > > > > > > >This upload would fix two serious security bugs: > > > > > > > >#780958 CVE-2015-0838: buffer overflow in C implementation of pack > > > >apply_delta() > > > >#780989 CVE-2014-9706: does not prevent to write files in commits with > > > >invalid paths to working tree > > > > > > +dulwich (0.9.7-3) unstable; urgency=medium > > > > > > s/unstable/jessie/ :) > > Whoops, fixed :) > > > > > The patches look okay, but according to the BTS metadata both bugs affect > > > the package in unstable and are not yet fixed there. If that's correct, > > > please fix unstable and then get back to us; if it's not, please fix the > > > metadata to indicate where the bugs are fixed. > > > > The upload for unstable is probably stuck in NEW (behind another change that > > required NEW processing). > > 0.9.8-2 made it out of NEW earlier this morning, judging from the logs. > From a quick look that doesn't obviously include the fixes for the CVEs > though. It looks like ftp-master doesn't have my new GPG subkey yet and ignored my upload. I've just reuploaded 0.10.1-1 signed with my master key. Cheers, Jelmer
signature.asc
Description: Digital signature
