Control: tags -1 + confirmed On Wed, 2016-01-27 at 15:49 +0100, Daniel Stender wrote: > The new package fixes #812577 [0]: the patch no-predictable-tmpfiles.patch > including in 0.6.3-1.2+deb7u1 fixed CVE-2015-7758 successfully, but has the > flaw that temporary include paths for images etc. in the tex documents > couldn't be used, but must be absolute (because a workfile [.tex.swp] in the > project path is missing). > > In the meanwhile upstream released a fix for CVE-2015-7758 which elegantly > uses a XDG cache dir for the temprary files to solve the problem [1].
Does this also affect the Jessie package? [...] > Please see the attached diff for changes between deb7u1 and deb7u2. I've build > against Oldstable with Sbuild [2]. 0.6.3-1.2+deb7u1 is currently pending [3], > I would > guess it just could be replaced in the pending state? Yes. In this context, "pending" means "in {,o-}p-u, waiting to form part of a point release" so updated revisions aren't an issue (although, in fairness, the old revision is then no longer actually in p-u; its contents are in practice though). Regards, Adam