On Tue, Apr 09, 2019 at 06:49:16PM +0200, Ivo De Decker wrote: > Hi Salvatore, > > On 4/8/19 10:59 PM, Salvatore Bonaccorso wrote: > > Control: reassign -1 src:kdepim > > On Mon, Apr 08, 2019 at 11:36:10AM +0200, Ivo De Decker wrote: > > > Hi, > > > > > > On Sat, May 19, 2018 at 07:18:06PM +0200, Sandro Knauß wrote: > > > > I now created a debdiff for kdepim. The patch depdends on the new > > > > symbol that > > > > was added in new messageviewer (see #899127). > > > > > > Does this bug still affect buster/sid? From the bug log and the tracker > > > for > > > CVE-2017-17689, it look like kmail in buster/sid is not affected, but it > > > would > > > be good if someone could confirm that. > > > > I think the tracking problem was hiere that #899128 is associated with > > src:meta-kde, but it should be src:kdepim (#899128) and respectively > > kf5-messagelib was #899127. The issue was fixed in the kf5-messagelib > > in version 4:18.08.1-1. In stretch src:kdepim was a source package, > > whilst in buster kdepim is a binary package produced by kde-meta, but > > the issue lies there in src:kf5-messagelib. > > The tracker for CVE-2017-17689 doesn't list anything related to kdepim or > src:meta-kde for buster. Is the issue fixed in the binary kdepim (produced > by src:meta-kde) in buster? If so, that should probably be stated explicitly > in the tracker.
For buster the affected code is in src:kf5-messagelib and fixed in 4:18.08.1-1 In stretch the affected code is in src:kdepim In Buster the binary package kdepim is now built out of src:meta-kde, but that was never affected. That's we don't track src:meta-kde at all in https://security-tracker.debian.org/tracker/CVE-2017-17689 Does that clarify? Cheers, Moritz