Hi all, I have packaged the new version of libtool for unstable. This fixes CVE-2009-3736. I am looking for a sponsor for the upload. The upstream changes are substantial (the diff between 2.2.6a and 2.2.6b is 7.3 MiB, so I have chosen not to attach it). Instead, I have attached a diff for my changes to just the debian directory. If you feel more comfortable building the package yourself, you can download the new upstream release directly, run ''uupdate -v 2.2.6b'', then apply my diff. The uupdate applies cleanly. The package can be found on mentors.debian.net: - URL: http://mentors.debian.net/debian/pool/main/l/libtool - Source repository: deb-src http://mentors.debian.net/debian unstable main contrib non-free - dget http://mentors.debian.net/debian/pool/main/l/libtool/libtool_2.2.6b-0+nmu1.dsc I would be glad if someone uploaded this package for me. Kind regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: libtool.diff Type: text/x-diff Size: 1991 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20091208/1758b0fa/attachment.diff>
On Wed, 9 Dec 2009 02:44:29 am Michael Gilbert wrote:> Hi all, > > I have packaged the new version of libtool for unstable. This fixes > CVE-2009-3736. I am looking for a sponsor for the upload.Did you talk to the maintainer about this? You can''t just upload a new upstream version without the maintainer''s approval. An NMU needs to be as minimal as possible. Cheers Steffen
On Wed, 9 Dec 2009 18:19:57 +1100, Steffen Joeris wrote:> On Wed, 9 Dec 2009 02:44:29 am Michael Gilbert wrote: > > Hi all, > > > > I have packaged the new version of libtool for unstable. This fixes > > CVE-2009-3736. I am looking for a sponsor for the upload. > Did you talk to the maintainer about this?I sent this same email to the bug report.> You can''t just upload a new upstream version without the maintainer''s > approval. An NMU needs to be as minimal as possible.I know, which is why i made a diff of just my changes to the debian dir, and not the full diff. I figured either you all would take that and apply it or the maintainer would. Mike
On Wed, 9 Dec 2009 04:20:09 pm Michael Gilbert wrote:> On Wed, 9 Dec 2009 18:19:57 +1100, Steffen Joeris wrote: > > On Wed, 9 Dec 2009 02:44:29 am Michael Gilbert wrote: > > > Hi all, > > > > > > I have packaged the new version of libtool for unstable. This fixes > > > CVE-2009-3736. I am looking for a sponsor for the upload. > > > > Did you talk to the maintainer about this? > > I sent this same email to the bug report. > > > You can''t just upload a new upstream version without the maintainer''s > > approval. An NMU needs to be as minimal as possible. > > I know, which is why i made a diff of just my changes to the debian > dir, and not the full diff. I figured either you all would take that > and apply it or the maintainer would.Ok, then let''s leave it as a patch for the maintainer. Cheers Steffen