Hi, On 29 April 2014 08:11, Guillem Jover <guil...@debian.org> wrote: [...] > 2. Revert the patch and add versioned depdendencies against the working > patch package. This might require some dist-upgrade tests, though. > 3. Fix the patch to take into account the old behaviour, by checking > if either of the filenames (escaped and unescaped) are unsafe. > > I guess the last one is the “safest option”. In any case I'd like > input from the security team (CCed just to make sure you get this), > and I'm very sorry guys about this. :(
This goes both ways: * if using dependencies, they would need to be added to all versions so that e.g. wheezy's dpkg can't be used with squeeze's patch * if handling both behaviors, it should also apply to both releases. Unless I missed something, of course. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
