Jay Berkenbilt <q...@debian.org> wrote: >> They also send me links to the upstream fixes: >> http://bugs.icu-project.org/trac/changeset/32865 >> http://bugs.icu-project.org/trac/changeset/32908 > > I can prepare a new upload with these fixes and call it CVE-2013-0900. > There's a one-line fix for a Malayalam rendering problem (which causes a > crash on certain codes and is therefore a potential DOS attack) which I > will probably include in the same upload. Ordinarily I would not fix > two issues in the same upload, particularly during a freeze, but the > extreme simplicity of the second one makes me think this will be okay in > this case.
Actually, these changes don't apply cleanly to ICU 4.8. There are namespace changes and other type changes so that even manually resolving the conflicts doesn't produce something that compiles. I don't have time to resolve this....I may have to fall back to my de-facto "strategy" of waiting for someone else who has more time than I do to take care of it. I think ICU 4.8 is still in active security support at Red Hat. I have often been the beneficiary of their good work on backporting security issues. -- Jay Berkenbilt <q...@debian.org> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
