Leo Famulari skribis:
> On Sun, Jun 12, 2016 at 10:26:53PM +0200, Ludovic Courtès wrote:
[...]
>> Sorry, I explained myself poorly. Here, we (1) grafted Expat in master,
>> (2) upgraded Expat in core-updates, and (3) only after that did we merge
>> master in core-updates, making the merge more
On Sun, Jun 12, 2016 at 10:26:53PM +0200, Ludovic Courtès wrote:
> Leo Famulari skribis:
>
> > On Fri, Jun 10, 2016 at 02:59:49PM +0200, Ludovic Courtès wrote:
> >> Leo Famulari skribis:
> >> > The merge will probably be messy...
> >>
> >> We should leave it to you, to minimize breakage.
> >
>
Leo Famulari skribis:
> On Fri, Jun 10, 2016 at 02:59:49PM +0200, Ludovic Courtès wrote:
>> Leo Famulari skribis:
>> > The merge will probably be messy...
>>
>> We should leave it to you, to minimize breakage.
>
> Okay, should I do it today or is core-updates frozen?
It’s OK if you do it today
On Fri, Jun 10, 2016 at 02:59:49PM +0200, Ludovic Courtès wrote:
> Leo Famulari skribis:
> > The merge will probably be messy...
>
> We should leave it to you, to minimize breakage.
Okay, should I do it today or is core-updates frozen?
> > Off-topic: A regular package and a grafted package on m
Leo Famulari skribis:
> On Thu, Jun 09, 2016 at 12:43:17PM -0400, Leo Famulari wrote:
>> On Wed, Jun 08, 2016 at 01:10:16PM +0300, Efraim Flashner wrote:
>> > FWIW debian's expat-2.1.1(-3) still has the cve-2015-1283 applied.
>>
>> I looked at the expat Git repo and the original fix for CVE-2015
On Thu, Jun 09, 2016 at 12:43:17PM -0400, Leo Famulari wrote:
> On Wed, Jun 08, 2016 at 01:10:16PM +0300, Efraim Flashner wrote:
> > FWIW debian's expat-2.1.1(-3) still has the cve-2015-1283 applied.
>
> I looked at the expat Git repo and the original fix for CVE-2015-1283
> was part of 2.1.1. The
On Wed, Jun 08, 2016 at 01:10:16PM +0300, Efraim Flashner wrote:
> FWIW debian's expat-2.1.1(-3) still has the cve-2015-1283 applied.
I looked at the expat Git repo and the original fix for CVE-2015-1283
was part of 2.1.1. The improvement to the fix must be backported. I will
take the upstream com
On Wed, Jun 08, 2016 at 01:10:16PM +0300, Efraim Flashner wrote:
> On Tue, Jun 07, 2016 at 08:54:05PM -0400, Leo Famulari wrote:
> > gnu: expat: Fix CVE-2016-0718.
> > gnu: Remove unused patch.
> > gnu: libxslt: Update to 1.1.29.
>
> FWIW debian's expat-2.1.1(-3) still has the cve-2015-1283
Efraim Flashner skribis:
> FWIW debian's expat-2.1.1(-3) still has the cve-2015-1283 applied. Also,
> there's 2 new cves, cve-2012-6702 and cve-2016-5300
> https://www.debian.org/security/2016/dsa-3597
> https://sources.debian.net/src/expat/2.1.1-3/debian/patches/
Oh, good catch.
Ludo’.
On Wed, Jun 08, 2016 at 07:50:25AM -0400, Leo Famulari wrote:
> On Wed, Jun 08, 2016 at 01:10:16PM +0300, Efraim Flashner wrote:
> > On Tue, Jun 07, 2016 at 08:54:05PM -0400, Leo Famulari wrote:
> > > Leo Famulari (3):
> > > gnu: expat: Fix CVE-2016-0718.
> > > gnu: Remove unused patch.
> > >
On Wed, Jun 08, 2016 at 01:10:16PM +0300, Efraim Flashner wrote:
> On Tue, Jun 07, 2016 at 08:54:05PM -0400, Leo Famulari wrote:
> > Leo Famulari (3):
> > gnu: expat: Fix CVE-2016-0718.
> > gnu: Remove unused patch.
> > gnu: libxslt: Update to 1.1.29.
>
> FWIW debian's expat-2.1.1(-3) still
On Tue, Jun 07, 2016 at 08:54:05PM -0400, Leo Famulari wrote:
> It was not that simple to make these changes for core-updates, so I'm
> sending the patches for review.
>
> For expat, I "re-fix" a bug that was fixed on master already. This
> bug-fix is actually reachable from the HEAD of core-updat
It was not that simple to make these changes for core-updates, so I'm
sending the patches for review.
For expat, I "re-fix" a bug that was fixed on master already. This
bug-fix is actually reachable from the HEAD of core-updates, but for
some reason doesn't exist at HEAD. According to MITRE the bu
13 matches
Mail list logo
