Bug#905061: stretch-pu: package mruby/1.2.0+20161228+git30d5424a-1+deb9u1

2018-11-01 Thread Adam D. Barratt 
On Tue, 2018-07-31 at 11:56 +0200, Moritz Mühlenhoff wrote:
> On Tue, Jul 31, 2018 at 11:29:16AM +0900, Nobuhiro Iwamatsu wrote:
[...]
> > I hereby propose an update for stretch of mruby.
> 
> There's a few more no-dsa issues for mruby, if you're doing an update
> anyway, could you also check whether they make sense to be fixed in
> stretch?
> 
> See here:
> https://security-tracker.debian.org/tracker/CVE-2018-10191
> https://security-tracker.debian.org/tracker/CVE-2018-14337
> https://security-tracker.debian.org/tracker/CVE-2018-12249
> https://security-tracker.debian.org/tracker/CVE-2018-12248
> https://security-tracker.debian.org/tracker/CVE-2018-11743

Ping?

Regards,

Adam

Processed: Re: Bug#905061: stretch-pu: package mruby/1.2.0+20161228+git30d5424a-1+deb9u1

2018-09-16 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 - moreinfo
Bug #905061 [release.debian.org] stretch-pu: package 
mruby/1.2.0+20161228+git30d5424a-1+deb9u1
Removed tag(s) moreinfo.

-- 
905061: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905061
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#905061: stretch-pu: package mruby/1.2.0+20161228+git30d5424a-1+deb9u1

2018-09-16 Thread Salvatore Bonaccorso 
Control: tags -1 - moreinfo

Hi,

On Sun, Aug 26, 2018 at 02:35:52PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
> 
> On 2018-07-31 03:29, Nobuhiro Iwamatsu wrote:
> > I hereby propose an update for stretch of mruby. It contains a patch
> > fixing CVE-2017-9527 [1]. The security issue was marked as being
> > no-DSA [2].
> 
> According to the security tracker, that bug is not yet fixed in unstable -
> is that correct?

The version informatin on security-tracker was  bit misleading resp.
incorrect for unstable. The issue was fixed originally with an
experimental upload as 1.2.0+20170601+git51e0e690-1. Later on a
1.3.0-1 was uploaded to unstable, I checked and the change was
included there, so I fixed up the security-tracker information.

There is though still the proposal from Moritz, to include more fixes
in the proposed update if possible.

Regards,
Salvatore

Bug#905061: stretch-pu: package mruby/1.2.0+20161228+git30d5424a-1+deb9u1

2018-08-26 Thread Adam D. Barratt 

Control: tags -1 + moreinfo

On 2018-07-31 03:29, Nobuhiro Iwamatsu wrote:

I hereby propose an update for stretch of mruby. It contains a patch
fixing CVE-2017-9527 [1]. The security issue was marked as being
no-DSA [2].


According to the security tracker, that bug is not yet fixed in unstable 
- is that correct?


Regards,

Adam

Processed: Re: Bug#905061: stretch-pu: package mruby/1.2.0+20161228+git30d5424a-1+deb9u1

2018-08-26 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + moreinfo
Bug #905061 [release.debian.org] stretch-pu: package 
mruby/1.2.0+20161228+git30d5424a-1+deb9u1
Added tag(s) moreinfo.

-- 
905061: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905061
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#905061: stretch-pu: package mruby/1.2.0+20161228+git30d5424a-1+deb9u1

2018-07-31 Thread Moritz Mühlenhoff 
On Tue, Jul 31, 2018 at 11:29:16AM +0900, Nobuhiro Iwamatsu wrote:
> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> Dear stable release manager,
> 
> I hereby propose an update for stretch of mruby.

There's a few more no-dsa issues for mruby, if you're doing an update
anyway, could you also check whether they make sense to be fixed in
stretch?

See here:
https://security-tracker.debian.org/tracker/CVE-2018-10191
https://security-tracker.debian.org/tracker/CVE-2018-14337
https://security-tracker.debian.org/tracker/CVE-2018-12249
https://security-tracker.debian.org/tracker/CVE-2018-12248
https://security-tracker.debian.org/tracker/CVE-2018-11743

Cheers,
Moritz

Bug#905061: stretch-pu: package mruby/1.2.0+20161228+git30d5424a-1+deb9u1

2018-07-30 Thread Nobuhiro Iwamatsu 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear stable release manager,

I hereby propose an update for stretch of mruby. It contains a patch
fixing CVE-2017-9527 [1]. The security issue was marked as being
no-DSA [2].

The changelog entry is:

  mruby (1.2.0+20161228+git30d5424a-1+deb9u1) stretch; urgency=high

* Backport patches from 1.3.0. (Closes: #865778)
  - CVE-2017-9527: heap-based use-after-free

   -- Nobuhiro Iwamatsu   Tue, 14 Nov 2017 12:40:35 +0900

Please see the attached debdiff for details.

Best regards,
  Nobuhiro

[1] https://bugs.debian.org/865778
[2] https://security-tracker.debian.org/tracker/CVE-2017-9527

-- 
Nobuhiro Iwamatsu
   iwamatsu at {nigauri.org / debian.org}
   GPG ID: 40AD1FA6


mruby_1.2.0+20161228+git30d5424a-1+deb9u1.debdiff
Description: Binary data