Debian Bug report logs -
#892590
graphite2: CVE-2018-7999: null pointer dereference in Segment()
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
:
Bug#892590
; Package src:graphite2
.
(Sun, 11 Mar 2018 07:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
.
(Sun, 11 Mar 2018 07:45:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: graphite2
Version: 1.3.10-8
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/silnrsi/graphite/issues/22
Control: found -1 1.3.11-1
Hi,
the following vulnerability was published for graphite2.
CVE-2018-7999[0]:
| In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference
| vulnerability was found in Segment.cpp during a dumbRendering
| operation, which may allow attackers to cause a denial of service or
| possibly have unspecified other impact via a crafted .ttf file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-7999
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7999
[1] https://github.com/silnrsi/graphite/issues/22
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions graphite2/1.3.11-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Sun, 11 Mar 2018 07:45:05 GMT) (full text, mbox, link).
Marked as found in versions graphite2/1.3.10-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 11 Mar 2018 08:33:03 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#892590.
(Sun, 11 Mar 2018 12:30:03 GMT) (full text, mbox, link).
Message #12 received at 892590-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #892590 in graphite2 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:
https://salsa.debian.org/libreoffice-team/graphite2/commit/be3be5c0d22bd4d80978be69d99dbfd4bc83ad8d
------------------------------------------------------------------------
backport upstream commit db132b4731a9b4c9534144ba3a18e65b390e9ff6 to fix CVE-2018-7999 (closes: #892590)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/892590
Added tag(s) pending.
Request was from rene@rene-engelhard.de
to 892590-submitter@bugs.debian.org
.
(Sun, 11 Mar 2018 12:30:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
:
Bug#892590
; Package src:graphite2
.
(Sun, 11 Mar 2018 13:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Rene Engelhard <rene@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
.
(Sun, 11 Mar 2018 13:06:03 GMT) (full text, mbox, link).
Message #19 received at 892590@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On Sun, Mar 11, 2018 at 08:43:32AM +0100, Salvatore Bonaccorso wrote:
> CVE-2018-7999[0]:
> | In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference
> | vulnerability was found in Segment.cpp during a dumbRendering
> | operation, which may allow attackers to cause a denial of service or
> | possibly have unspecified other impact via a crafted .ttf file.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-7999
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7999
> [1] https://github.com/silnrsi/graphite/issues/22
upstream fix backported. Uploaded to sid.
Merged this for jessie and stretch, too. See attached debdiffs. Want me
to upload for a DSA?
(for the jessie branch I also had a embarassing typo fix pending.
Included. If I should remove that one I can, though, too)
Regards,
Rene
[stretch.debdiff (text/plain, attachment)]
[jessie.debdiff (text/plain, attachment)]
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#892590.
(Sun, 11 Mar 2018 13:06:05 GMT) (full text, mbox, link).
Message #22 received at 892590-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #892590 in graphite2 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:
https://salsa.debian.org/libreoffice-team/graphite2/commit/cddea134d89f56911f6817c69d19ac2866a5da5d
------------------------------------------------------------------------
backport upstream commit db132b4731a9b4c9534144ba3a18e65b390e9ff6 to fix CVE-2018-7999 (closes: #892590)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/892590
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#892590.
(Sun, 11 Mar 2018 13:06:06 GMT) (full text, mbox, link).
Message #25 received at 892590-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #892590 in graphite2 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:
https://salsa.debian.org/libreoffice-team/graphite2/commit/cddea134d89f56911f6817c69d19ac2866a5da5d
------------------------------------------------------------------------
backport upstream commit db132b4731a9b4c9534144ba3a18e65b390e9ff6 to fix CVE-2018-7999 (closes: #892590)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/892590
Reply sent
to Rene Engelhard <rene@debian.org>
:
You have taken responsibility.
(Sun, 11 Mar 2018 13:09:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 11 Mar 2018 13:09:04 GMT) (full text, mbox, link).
Message #30 received at 892590-close@bugs.debian.org (full text, mbox, reply):
Source: graphite2
Source-Version: 1.3.11-2
We believe that the bug you reported is fixed in the latest version of
graphite2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 892590@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Rene Engelhard <rene@debian.org> (supplier of updated graphite2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 11 Mar 2018 13:22:48 +0100
Source: graphite2
Binary: libgraphite2-3 libgraphite2-dev libgraphite2-doc libgraphite2-utils
Architecture: source
Version: 1.3.11-2
Distribution: unstable
Urgency: medium
Maintainer: Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
Changed-By: Rene Engelhard <rene@debian.org>
Description:
libgraphite2-3 - Font rendering engine for Complex Scripts -- library
libgraphite2-dev - Development files for libgraphite2
libgraphite2-doc - Documentation for libgraphite2
libgraphite2-utils - Font rendering engine for Complex Scripts -- utilities
Closes: 892590
Changes:
graphite2 (1.3.11-2) unstable; urgency=medium
.
* backport upstream commit db132b4731a9b4c9534144ba3a18e65b390e9ff6
to fix CVE-2018-7999 (closes: #892590)
Checksums-Sha1:
c54f5403a152c1c46a9b9c47d737dc54cd7c6934 2367 graphite2_1.3.11-2.dsc
6af74012e1ee2e3bbbe37bf566e813c9071c4329 14068 graphite2_1.3.11-2.debian.tar.xz
23f1fa1688b07a3e73b98713531a4f84a156fce9 5888 graphite2_1.3.11-2_source.buildinfo
Checksums-Sha256:
3c2f5ed2b6021e9a18456215d5d01354434f14577dbc862f7f53c8ce62200d71 2367 graphite2_1.3.11-2.dsc
c47ef4ae6edfa6ce02483f347e67786b0fce089515087370ccc10f22ad711f90 14068 graphite2_1.3.11-2.debian.tar.xz
ff13382914e545994b7545f55ec1f7debe28ea2c00358f3835147c1531e8c64a 5888 graphite2_1.3.11-2_source.buildinfo
Files:
e3e86f9fc17231443ac44d37858c3df6 2367 libs optional graphite2_1.3.11-2.dsc
6cae45b9d01aca8ef59bd1c85a6c31f3 14068 libs optional graphite2_1.3.11-2.debian.tar.xz
d55af4850dfc6797e1d678784232ede7 5888 libs optional graphite2_1.3.11-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE4S3qRnUGcM+pYIAdCqBFcdA+PnAFAlqlI8wACgkQCqBFcdA+
PnDYvg//VGUmGJgACNWYFP8mTGxb0qvuLrTjypu2paCABxO3u74WnLJXkmjtEdl5
wY1p4Nnzhr1xeXdTo3kDVJcwSgCAoXK5O2HXMSQeV7o+r3IXfLVJxnFY6c9PeamB
YMJ9PWP6gfprUylSjZzGz3M5r4J+UwchuIShsqO1zGqAUEZDxO90d8pkQKsMLGks
4+Jl4Tb37zX7QqpQhyHJSDt9Ll/OWVAJrkfs276y+vLf7WjZmdgyvea9YLgnl9Op
slnAUpRFD4aDymPfMN3hDtrefi0h8zIXrms9VsBWBRJ8Y9/A4AH5GUa6ub9I1H1u
YXcbyWdzlbskTQ7YEBXRWZLXkOJW1xNtBvVch4uwvOstx8u8j9dH4OP6RiZlZXqV
kmJLTKuA2sEnD3CdR+qRXRRuEWQK+UUONmXGIAVWuxSWMTKxDcha2k+x8UXD2J6w
beCKW/XqfUM4Xj7EMRyBe95y+1t+nsJ8ACQlVqUOAwQTpAqqNZkxaOupKUill3hi
njZFQN5psm+7/AKjbcxJlgYmPQ4Cd41aaGbpuCysoUE0zqIT0fzdLijpSzUq0Sha
MeKCYb1ksIyK4J/yJDVlPSHjQ4a7wfQeARPk5SnaxeQrJOxwO12wwQSvy0n1UXvO
HwgxpV/liiNSHSSi5EivDRoQ5vhEqI90QXV1hJuymjerdWNBfo8=
=eLJq
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
:
Bug#892590
; Package src:graphite2
.
(Sun, 11 Mar 2018 13:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Rene Engelhard <rene@rene-engelhard.de>
:
Extra info received and forwarded to list. Copy sent to Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
.
(Sun, 11 Mar 2018 13:33:03 GMT) (full text, mbox, link).
Message #35 received at 892590@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On Sun, Mar 11, 2018 at 02:02:22PM +0100, Rene Engelhard wrote:
> On Sun, Mar 11, 2018 at 08:43:32AM +0100, Salvatore Bonaccorso wrote:
> > CVE-2018-7999[0]:
> > | In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference
> > | vulnerability was found in Segment.cpp during a dumbRendering
> > | operation, which may allow attackers to cause a denial of service or
> > | possibly have unspecified other impact via a crafted .ttf file.
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2018-7999
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7999
> > [1] https://github.com/silnrsi/graphite/issues/22
>
> upstream fix backported. Uploaded to sid.
>
> Merged this for jessie and stretch, too. See attached debdiffs. Want me
> to upload for a DSA?
>
> (for the jessie branch I also had a embarassing typo fix pending.
> Included. If I should remove that one I can, though, too)
I'll remove that one, since stretch doesn't have it done either...
New diff attached.
Regards,
Rene
[jessie.debdiff (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
:
Bug#892590
; Package src:graphite2
.
(Sun, 11 Mar 2018 18:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
.
(Sun, 11 Mar 2018 18:00:04 GMT) (full text, mbox, link).
Message #40 received at 892590@bugs.debian.org (full text, mbox, reply):
On Sun, Mar 11, 2018 at 02:02:22PM +0100, Rene Engelhard wrote:
> Hi,
>
> On Sun, Mar 11, 2018 at 08:43:32AM +0100, Salvatore Bonaccorso wrote:
> > CVE-2018-7999[0]:
> > | In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference
> > | vulnerability was found in Segment.cpp during a dumbRendering
> > | operation, which may allow attackers to cause a denial of service or
> > | possibly have unspecified other impact via a crafted .ttf file.
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2018-7999
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7999
> > [1] https://github.com/silnrsi/graphite/issues/22
>
> upstream fix backported. Uploaded to sid.
>
> Merged this for jessie and stretch, too. See attached debdiffs. Want me
> to upload for a DSA?
This doesn't warrant a DSA, we can either postpone until the next more
severe graphite vulnerabity or fix it via a point update.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
:
Bug#892590
; Package src:graphite2
.
(Sun, 11 Mar 2018 18:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Rene Engelhard <rene@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
.
(Sun, 11 Mar 2018 18:09:03 GMT) (full text, mbox, link).
Message #45 received at 892590@bugs.debian.org (full text, mbox, reply):
Hi,
On Sun, Mar 11, 2018 at 06:56:30PM +0100, Moritz Mühlenhoff wrote:
> On Sun, Mar 11, 2018 at 02:02:22PM +0100, Rene Engelhard wrote:
> > Hi,
> >
> > On Sun, Mar 11, 2018 at 08:43:32AM +0100, Salvatore Bonaccorso wrote:
> > > CVE-2018-7999[0]:
> > > | In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference
> > > | vulnerability was found in Segment.cpp during a dumbRendering
> > > | operation, which may allow attackers to cause a denial of service or
> > > | possibly have unspecified other impact via a crafted .ttf file.
> > >
> > > If you fix the vulnerability please also make sure to include the
> > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > >
> > > For further information see:
> > >
> > > [0] https://security-tracker.debian.org/tracker/CVE-2018-7999
> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7999
> > > [1] https://github.com/silnrsi/graphite/issues/22
> >
> > upstream fix backported. Uploaded to sid.
> >
> > Merged this for jessie and stretch, too. See attached debdiffs. Want me
> > to upload for a DSA?
>
> This doesn't warrant a DSA, we can either postpone until the next more
> severe graphite vulnerabity or fix it via a point update.
OK.
Regards,
Rene
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
:
Bug#892590
; Package src:graphite2
.
(Sun, 18 Mar 2018 06:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Abhijith PA <abhijith@disroot.org>
:
Extra info received and forwarded to list. Copy sent to Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
.
(Sun, 18 Mar 2018 06:12:03 GMT) (full text, mbox, link).
Message #50 received at 892590@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello.
I prepared LTS security update for graphite2[1]. Debdiff is attached.
All tests ran successfully. Please review.
- -abhijith
[1]
https://mentors.debian.net/debian/pool/main/g/graphite2/graphite2_1.3.10
- -1~deb7u2.dsc
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlquArUACgkQhj1N8u2c
KO8j3A//QeA2nOPNG/j2GJ+j+LSKWRt/khRoL2vY2YpXcIRCJSACCVZT+LqOezLF
BfMTa6TEeu9zXfRQpuAoHBZtOmSbPaldi6flT5eJ469mF/tqBY7Bdx7us5/bmni0
YxAz7tYp6oU3hBUz2HqEgH293cm7+wG7mLjSGG5EVcuFCIwRud0Y7/s0YQV7/xJ6
9YBUnzUPCZ/h0jcZNXpUmo2QWtvvaFj1vg5KQQ3JvKGGdVly9cJse+E1Z8FLih46
4ZNCNMjF3AWnn2MyVk1b9Ej8kr69CsrZqxkRpnVovsg2N7VUuwp+SiYndlBfqTvu
MIr84/NPfCG9F7V8kyO486QRsB8fHYGA4+HnTL/iGZYgEIeRJgIyAQqaOGRhhrgU
NASuJydVTtRiVQuL9mrx/S6lfUFTaYRRGMm7SagDxeHN1wR1SuXxjwm4LOqrRzHD
eR4AxYJmnu9iMZkYaYIsy9VfdimAF63l8mCfVEede1zuug12YunWjUQkZA1xRnjM
xD67lo2RQWx6FMb7uiLt6/EUP6VouXoVJi2jt/BBpXgx66gWLQOb2xvDQAI3pQP2
C4AbI9H+Uvyjbcufe1GusKXkBGvny3LWkQiAwuScfkUMNlhemSsc83wy4jRTgRyb
NGfWN85t8eQMlrviVhdZz0YcFjBMRx5qe9iA+nUL5eANbKSz2RY=
=SOWG
-----END PGP SIGNATURE-----
[graphite2_deb7u2.debdiff (text/plain, attachment)]
[graphite2_deb7u2.debdiff.sig (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
:
Bug#892590
; Package src:graphite2
.
(Mon, 19 Mar 2018 15:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Rene Engelhard <rene@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
.
(Mon, 19 Mar 2018 15:27:03 GMT) (full text, mbox, link).
Message #55 received at 892590@bugs.debian.org (full text, mbox, reply):
On Sun, Mar 18, 2018 at 11:39:57AM +0530, Abhijith PA wrote:
> I prepared LTS security update for graphite2[1]. Debdiff is attached.
> All tests ran successfully. Please review.
Why would we need one given for jessie and stretch it is clearly marked
as no-DSA?
https://security-tracker.debian.org/tracker/source-package/graphite2
I think we don't and shouldn't do this.
Regards,
Rene
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
:
Bug#892590
; Package src:graphite2
.
(Mon, 19 Mar 2018 15:45:14 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
.
(Mon, 19 Mar 2018 15:45:14 GMT) (full text, mbox, link).
Message #60 received at 892590@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Am 19.03.2018 um 16:23 schrieb Rene Engelhard:
> On Sun, Mar 18, 2018 at 11:39:57AM +0530, Abhijith PA wrote:
>> I prepared LTS security update for graphite2[1]. Debdiff is attached.
>> All tests ran successfully. Please review.
>
> Why would we need one given for jessie and stretch it is clearly marked
> as no-DSA?
>
> https://security-tracker.debian.org/tracker/source-package/graphite2
>
> I think we don't and shouldn't do this.
>
> Regards,
>
> Rene
No-dsa means that the security team won't handle it but it is still a
bug which can and should be fixed via a point update.
Regards,
Markus
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
:
Bug#892590
; Package src:graphite2
.
(Mon, 19 Mar 2018 16:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Rene Engelhard <rene@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
.
(Mon, 19 Mar 2018 16:09:03 GMT) (full text, mbox, link).
Message #65 received at 892590@bugs.debian.org (full text, mbox, reply):
Hi,
On Mon, Mar 19, 2018 at 04:43:51PM +0100, Markus Koschany wrote:
> Am 19.03.2018 um 16:23 schrieb Rene Engelhard:
> > On Sun, Mar 18, 2018 at 11:39:57AM +0530, Abhijith PA wrote:
> >> I prepared LTS security update for graphite2[1]. Debdiff is attached.
> >> All tests ran successfully. Please review.
> >
> > Why would we need one given for jessie and stretch it is clearly marked
> > as no-DSA?
> >
> > https://security-tracker.debian.org/tracker/source-package/graphite2
> >
> > I think we don't and shouldn't do this.
> >
> > Regards,
> >
> > Rene
>
> No-dsa means that the security team won't handle it but it is still a
> bug which can and should be fixed via a point update.
This will happen (as Moritz said in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892590#40) when the next
severe issue warranting a DSA comes up.
I am not going over the .-release procedure for this, I'd have uploaded
to security, though, but...
I don't think we should special-case our oldest,
soon-to-be-not-supported release.
Regards,
Rene
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
:
Bug#892590
; Package src:graphite2
.
(Mon, 19 Mar 2018 20:21:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
.
(Mon, 19 Mar 2018 20:21:09 GMT) (full text, mbox, link).
Message #70 received at 892590@bugs.debian.org (full text, mbox, reply):
On Mon, Mar 19, 2018 at 05:04:17PM +0100, Rene Engelhard wrote:
> I am not going over the .-release procedure for this, I'd have uploaded
> to security, though, but...
>
> I don't think we should special-case our oldest,
> soon-to-be-not-supported release.
Agreed, it doesn't make sense to fix this bug on it's own. We can
simply piggyback it on the next more severe graphite update.
Cheers,
Moritz
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 17 Apr 2018 07:32:54 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:03:22 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.