Bug#932924: tt-rss: Packaging work for new upstream release 21.1
On 05/02/21 4:24 pm, Sebastian Reichel wrote: [...] > > I had some pending work from last year doing some of these changes > and some additional things. Back then I stopped when reaching the > gettext part wondering how to be solve it (IIUIC upstream's version > has some security fixes). Anyways your solution is better than doing > nothing, so I merged everything together and just uploaded a new > version. Just to summarize the situation with php-gettext: the library had a single security issue with use of eval() when parsing plural expressions (#976135). In Debian, it now has a proper fix through the implementation of a plural expression parser instead of using eval(). While there is no response from upstream for the merge request, tt-rss apparently picked up the fix in its vendored copy of gettext library. In Debian, tt-rss uses the Debian package for php-gettext. So, every thing is in good shape for this security issue. Other security issues found and fixed in upstream tt-rss (CVE-2020-25787 CVE-2020-25788 CVE-2020-25789) are unrelated to this. > > Your changes all looked sane and I'm mostly busy in the kernel world > these days and your help is appreciated. If I saw it correctly you are > not a DD, so I just gave you full permissions to the tt-rss repository. > Feel free to work directly in the repository without doing pull requests. Many thanks for permissions to the repository, the recent upload and in general for tt-rss. -- Sunil OpenPGP_signature Description: OpenPGP digital signature
Bug#932924: tt-rss: Packaging work for new upstream release 21.1
Hi Sunil, On Thu, Feb 04, 2021 at 08:56:28AM +0100, Johannes Schauer Marin Rodrigues wrote: > Quoting Johannes Schauer Marin Rodrigues (2021-02-04 08:50:51) > > oh wow! Thanks a ton for all your work! This is phantastic. :) > > while this still stands Ack. > > Do you want to do the upload yourself? Just add yourself to Uploaders as > > well > > while you are at it, you seem to know what you are doing and I'd love > > somebody > > to help out with packaging. Feel free to just put your commits directly into > > the packaging repo on salsa! That's already part of the changes :) > let me retract this -- somehow I didn't read "tt-rss" and confused packages XD > > It should of course not be me but Sebastian Reichel to make this call. :) I had some pending work from last year doing some of these changes and some additional things. Back then I stopped when reaching the gettext part wondering how to be solve it (IIUIC upstream's version has some security fixes). Anyways your solution is better than doing nothing, so I merged everything together and just uploaded a new version. Your changes all looked sane and I'm mostly busy in the kernel world these days and your help is appreciated. If I saw it correctly you are not a DD, so I just gave you full permissions to the tt-rss repository. Feel free to work directly in the repository without doing pull requests. Thanks, -- Sebastian signature.asc Description: PGP signature
Bug#932924: tt-rss: Packaging work for new upstream release 21.1
Quoting Johannes Schauer Marin Rodrigues (2021-02-04 08:50:51) > oh wow! Thanks a ton for all your work! This is phantastic. :) while this still stands > Do you want to do the upload yourself? Just add yourself to Uploaders as well > while you are at it, you seem to know what you are doing and I'd love somebody > to help out with packaging. Feel free to just put your commits directly into > the packaging repo on salsa! let me retract this -- somehow I didn't read "tt-rss" and confused packages XD It should of course not be me but Sebastian Reichel to make this call. :) signature.asc Description: signature