Bug#905061: stretch-pu: package mruby/1.2.0+20161228+git30d5424a-1+deb9u1
On Tue, 2018-07-31 at 11:56 +0200, Moritz Mühlenhoff wrote: > On Tue, Jul 31, 2018 at 11:29:16AM +0900, Nobuhiro Iwamatsu wrote: [...] > > I hereby propose an update for stretch of mruby. > > There's a few more no-dsa issues for mruby, if you're doing an update > anyway, could you also check whether they make sense to be fixed in > stretch? > > See here: > https://security-tracker.debian.org/tracker/CVE-2018-10191 > https://security-tracker.debian.org/tracker/CVE-2018-14337 > https://security-tracker.debian.org/tracker/CVE-2018-12249 > https://security-tracker.debian.org/tracker/CVE-2018-12248 > https://security-tracker.debian.org/tracker/CVE-2018-11743 Ping? Regards, Adam
Processed: Re: Bug#905061: stretch-pu: package mruby/1.2.0+20161228+git30d5424a-1+deb9u1
Processing control commands: > tags -1 - moreinfo Bug #905061 [release.debian.org] stretch-pu: package mruby/1.2.0+20161228+git30d5424a-1+deb9u1 Removed tag(s) moreinfo. -- 905061: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905061 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#905061: stretch-pu: package mruby/1.2.0+20161228+git30d5424a-1+deb9u1
Control: tags -1 - moreinfo Hi, On Sun, Aug 26, 2018 at 02:35:52PM +0100, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On 2018-07-31 03:29, Nobuhiro Iwamatsu wrote: > > I hereby propose an update for stretch of mruby. It contains a patch > > fixing CVE-2017-9527 [1]. The security issue was marked as being > > no-DSA [2]. > > According to the security tracker, that bug is not yet fixed in unstable - > is that correct? The version informatin on security-tracker was bit misleading resp. incorrect for unstable. The issue was fixed originally with an experimental upload as 1.2.0+20170601+git51e0e690-1. Later on a 1.3.0-1 was uploaded to unstable, I checked and the change was included there, so I fixed up the security-tracker information. There is though still the proposal from Moritz, to include more fixes in the proposed update if possible. Regards, Salvatore
Bug#905061: stretch-pu: package mruby/1.2.0+20161228+git30d5424a-1+deb9u1
Control: tags -1 + moreinfo On 2018-07-31 03:29, Nobuhiro Iwamatsu wrote: I hereby propose an update for stretch of mruby. It contains a patch fixing CVE-2017-9527 [1]. The security issue was marked as being no-DSA [2]. According to the security tracker, that bug is not yet fixed in unstable - is that correct? Regards, Adam
Processed: Re: Bug#905061: stretch-pu: package mruby/1.2.0+20161228+git30d5424a-1+deb9u1
Processing control commands: > tags -1 + moreinfo Bug #905061 [release.debian.org] stretch-pu: package mruby/1.2.0+20161228+git30d5424a-1+deb9u1 Added tag(s) moreinfo. -- 905061: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905061 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#905061: stretch-pu: package mruby/1.2.0+20161228+git30d5424a-1+deb9u1
On Tue, Jul 31, 2018 at 11:29:16AM +0900, Nobuhiro Iwamatsu wrote: > Package: release.debian.org > Severity: normal > Tags: stretch > User: release.debian@packages.debian.org > Usertags: pu > > Dear stable release manager, > > I hereby propose an update for stretch of mruby. There's a few more no-dsa issues for mruby, if you're doing an update anyway, could you also check whether they make sense to be fixed in stretch? See here: https://security-tracker.debian.org/tracker/CVE-2018-10191 https://security-tracker.debian.org/tracker/CVE-2018-14337 https://security-tracker.debian.org/tracker/CVE-2018-12249 https://security-tracker.debian.org/tracker/CVE-2018-12248 https://security-tracker.debian.org/tracker/CVE-2018-11743 Cheers, Moritz
Bug#905061: stretch-pu: package mruby/1.2.0+20161228+git30d5424a-1+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Dear stable release manager, I hereby propose an update for stretch of mruby. It contains a patch fixing CVE-2017-9527 [1]. The security issue was marked as being no-DSA [2]. The changelog entry is: mruby (1.2.0+20161228+git30d5424a-1+deb9u1) stretch; urgency=high * Backport patches from 1.3.0. (Closes: #865778) - CVE-2017-9527: heap-based use-after-free -- Nobuhiro Iwamatsu Tue, 14 Nov 2017 12:40:35 +0900 Please see the attached debdiff for details. Best regards, Nobuhiro [1] https://bugs.debian.org/865778 [2] https://security-tracker.debian.org/tracker/CVE-2017-9527 -- Nobuhiro Iwamatsu iwamatsu at {nigauri.org / debian.org} GPG ID: 40AD1FA6 mruby_1.2.0+20161228+git30d5424a-1+deb9u1.debdiff Description: Binary data