[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 0/3] Expat and libxslt changes for core-updates
|
From: |
Ludovic Courtès |
|
Subject: |
Re: [PATCH 0/3] Expat and libxslt changes for core-updates |
|
Date: |
Fri, 10 Jun 2016 14:59:49 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
Leo Famulari <address@hidden> skribis:
> On Thu, Jun 09, 2016 at 12:43:17PM -0400, Leo Famulari wrote:
>> On Wed, Jun 08, 2016 at 01:10:16PM +0300, Efraim Flashner wrote:
>> > FWIW debian's expat-2.1.1(-3) still has the cve-2015-1283 applied.
>>
>> I looked at the expat Git repo and the original fix for CVE-2015-1283
>> was part of 2.1.1. The improvement to the fix must be backported. I will
>> take the upstream commit that applies the improvement.
>
> We adopt Debian's patch for CVE-2012-6702 and CVE-2016-5300 (already
> sent for review for the master branch).
>
> We also adapt the CVE-2015-1283 "re-fix" patch to apply to upstream's
> fix for CVE-2015-1283. The Debian "re-fix" patch had some context
> (comments) that did not exist in the upstream 2.1.1 release.
>
> And as before, we patch for CVE-2016-0718.
>
> It's not possible for me test this on core-updates (too much to build).
> On master, I made a new expat-2.1.1 package that inherited from expat
> and built that with the patches.
>
> The merge will probably be messy...
We should leave it to you, to minimize breakage.
> Off-topic: A regular package and a grafted package on master, and an
> updated version of the package on core-updates... this is getting very
> complicated and we should try our best to avoid such tangled situations
> in the future.
Do you think it would help to delay such upgrades in ‘core-updates’
until the time where ‘core-updates’ is getting ready for merge?
> From a4a3a09b40c5f98b2c2a3d15458ab086ce867c3d Mon Sep 17 00:00:00 2001
> From: Leo Famulari <address@hidden>
> Date: Tue, 7 Jun 2016 20:26:41 -0400
> Subject: [v2 1/2] gnu: expat: Fix CVE-2012-6702, CVE-2016-0718, and
> CVE-2016-5300.
>
> * gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/patches/expat-CVE-2015-1283-refix.patch: Adapt to upstream
> changes.
> * gnu/packages/xml.scm (expat)[source]: Use patches.
LGTM, thank you!
Ludo’.
- Re: [PATCH 2/3] gnu: Remove unused patch., (continued)
- [PATCH 3/3] gnu: libxslt: Update to 1.1.29., Leo Famulari, 2016/06/07
- Re: [PATCH 0/3] Expat and libxslt changes for core-updates, Efraim Flashner, 2016/06/08
- Re: [PATCH 0/3] Expat and libxslt changes for core-updates, Leo Famulari, 2016/06/08
- Re: [PATCH 0/3] Expat and libxslt changes for core-updates, Ludovic Courtès, 2016/06/08
- Re: [PATCH 0/3] Expat and libxslt changes for core-updates, Leo Famulari, 2016/06/09
- Re: [PATCH 0/3] Expat and libxslt changes for core-updates, Leo Famulari, 2016/06/09
- Re: [PATCH 0/3] Expat and libxslt changes for core-updates, Leo Famulari, 2016/06/09
- Re: [PATCH 0/3] Expat and libxslt changes for core-updates,
Ludovic Courtès <=
- Re: [PATCH 0/3] Expat and libxslt changes for core-updates, Leo Famulari, 2016/06/10
- Re: [PATCH 0/3] Expat and libxslt changes for core-updates, Ludovic Courtès, 2016/06/12
- Re: [PATCH 0/3] Expat and libxslt changes for core-updates, Leo Famulari, 2016/06/12
- Re: [PATCH 0/3] Expat and libxslt changes for core-updates, Ludovic Courtès, 2016/06/13