On Wed, Nov 30, 2011 at 08:15:31PM +0000, Adam D. Barratt wrote: > On Wed, 2011-11-30 at 14:22 -0430, Miguel Landaeta wrote: > > I have prepared an upload to fix #650430 / CVE-2011-4358. > > > > This bug affects mojarra 2.0.3-1 in stable. > > Thanks for working on this. > > > I'm attaching the debdiff with the backported patch that fix > > this issue and the updated package meant for squeeze. > > It's not exactly a minimal patch - admittedly we've seen worse. :) I'm > guessing that the .properties changes and the pulling in of logging code > are part of the upstream patch, although I'm not really sure how they > contribute to fixing the bug. Maybe I'm just getting cynical in my old > age. :) > > > I plan to do an urgent upload to unstable before the weekend. > > It might be obvious and predictable, but for the record - the unstable > upload needs to happen before stable. Preferably unstable wants to be > fixed for a few days at least, in order to verify that no obvious > regressions occur. > > > A patch and a link to a PoC can be found in the body of #650430 report. > > Have the security team confirmed that they don't wish to handle this via > a DSA? I couldn't see any thing in the bug report or the security > tracker which mentions not doing so.
No, this should be fixed through stable-security. Miguel, please upload to stable-security as outlined here: http://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security-building You need to build with "-sa", since mojarra is new in stable-security. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111130205954.GA9870@pisco.westfalen.local