Hi Sandro, On Fri, Oct 14, 2016 at 10:56:00PM +0200, Sandro Knauß wrote: > Hi, > > now I'm fully confused - you said on IRC, I should better create a deb8u2 > ontop. Well I created now the debdiff for a deb8u2. > > So you can decide what is the best way for the sec team and what version > should be uploaded where.
Sorry then if some confusion was present. I looked at the debdiff you sent previously and it was a +deb8u1 with all changes. That would not have worked, since +deb8u1 is now already on security master and been rejected by dak. > diff -Nru kdepimlibs-4.14.2/debian/changelog > kdepimlibs-4.14.2/debian/changelog > --- kdepimlibs-4.14.2/debian/changelog 2016-10-12 18:20:26.000000000 > +0200 > +++ kdepimlibs-4.14.2/debian/changelog 2016-10-14 21:33:53.000000000 > +0200 > @@ -1,3 +1,14 @@ > +kdepimlibs (4:4.14.2-2+deb8u2) jessie-security; urgency=high > + > + * Team upload. > + * Additional patch to complete the fix for CVE-2016-7966 > + - Replace all scary charactars (", <, > and &) with safe HTML > + replacements. > + - Backport commit kcoreaddons 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a > + in debian/patches/CVE-2016-7966_part2.diff > + > + -- Sandro Knauß <he...@debian.org> Fri, 14 Oct 2016 21:33:53 +0200 > + Thanks, that is exactly what I meant. Create a +deb8u2 with your additional needed fixes on top of the deb8u1 previously already uploaded by Scott. It's perfect now as you attached above. I will now no furhter interfere, since Moritz will take care of the DSA. Regards, Salvatore