Thanks for the debdiff! I have a few comments: * debian/changelog does not use 'precise-security' * debian/changelog is too terse. Per https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging, it should be something like: * SECURITY UPDATE: use poll() instead of select() for checking file descriptor activity to also correctly work if more than FD_SETSIZE files are already open - http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288 - <link to upstream patch #1> - <link to upstream patch #2> - ... - CVE-2013-0288 - LP: #1347614
Importantly, as Daniel said, the patch does not match upstream. Upstream http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288 has a minimal patch that would be more appropriate for a security update: - http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=7867b93f9a7c76b96f1571cddc1de0811134bb81 That said, we could incorporate the larger patchset: - http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=f266f05f20afe73e89c3946a7bd60bd7c5948e1b if it could be shown to be correct and free of regressions. Please do one of: - update the patch for the changelog changes, use the minimal patch and document it in debian/changelog - update the patch for the changelog changes, use the bigger patchset, document the patch URLs in debian/changelog. Please also detail the testing performed Unsuscribing ubuntu-security-sponsors for now. Please resubscribe after attaching a new debdiff. Thanks again. ** Changed in: nss-pam-ldapd (Ubuntu) Status: New => In Progress ** Changed in: nss-pam-ldapd (Ubuntu) Assignee: (unassigned) => Mike Heald (jedimike) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1347614 Title: Fix for CVE-2013-0288 in precise package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss-pam-ldapd/+bug/1347614/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs