On Sun, Dec 23, 2007 at 12:37:45AM +0530, Varun Hiremath wrote: > Hi Nico, > > On Sat, 22 Dec, 2007 at 07:46:12PM +0100, Nico Golde wrote: > > Hi Varun, > > * Varun Hiremath <[EMAIL PROTECTED]> [2007-12-22 19:12]: > > > On Sat, 22 Dec, 2007 at 04:29:31PM +0100, Nico Golde wrote: > > > > Hi, > > > > attached is a patch for an NMU which fixes these issues. > > > > It will be also archived on: > > > > http://people.debian.org/~nion/nmu-diff/libjfreechart-java-1.0.8-1_1.0.8-1.1.patch > > > > > > These two patches are included in the new upstream release 1.0.8a > > > which we already have ready for upload, but it introduces new bugs > > > [1]. > > > > Oh thanks I missed this in the bug report. > > > > > The bug [1] has been fixed in the jfreechart-1.0.x-branch but > > > that branch doesn't seem to include the security fixes, so we can't > > > update to that branch also. So, we thought of waiting for the new > > > 1.0.9 release which should happen any time next week. > > > > Waiting for security releases is considered to be bad if you > > can gather the information for fixing this issue. > > > > > @ Michael, should we release 1.0.8a version? > > > > No please not if it breaks things. > > > > Can you maybe ask upstream for the patch then? > > His changes to the branch are in revision 676 but he later > > removed some of them in 683 so I am bit confused about the > > status of this in the branch. > > Exactly, even the upstream Changelog entries are totally confusing > and haven't mentioned anywhere clearly that it fixes the concerned > CVE. But, still I will try to ask him for a patch. > > I am on vacation from day after tomorrow, so Michael, could you please > take care of this bug?
I will take care of this. I'm in private contact with the upstream author. Cheers, Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
