On Sun, 2017-07-30 at 23:23 +0100, Luca Boccassi wrote: > On Sun, 2017-07-30 at 23:19 +0100, Luca Boccassi wrote: > > Control: tags -1 - moreinfo > > > > On Sun, 2017-07-30 at 23:04 +0100, Adam D. Barratt wrote: > > > Control: tags -1 + moreinfo > > > > > > On Wed, 2017-07-26 at 22:51 +0100, Luca Boccassi wrote: > > > > The non-free proprietary nvidia-graphics-drivers version 375.66 > > > > in > > > > Stretch is affected by CVE-2017-6257 and CVE-2017-6259. Debian > > > > bug: > > > > > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869783 > > > > > > > > Please consider allowing the new upstream version 375.82, which > > > > fixes > > > > these CVEs, in proposed-updates. As usual with these proprietary > > > > drivers, we cannot just cherry-pick the fixes for the CVEs as > > > > they > > > > are > > > > in the binary blobs. > > > > > > > > I have tested this new version on a Stretch amd64 desktop and > > > > didn't > > > > encounter any issue. > > > > > > > > The debdiff from 375.66-2~deb9u1 to 375.82-1 is attached. > > > > > > While I'm sure it's probably fine, could we have a diff of the > > > proposed > > > 375.82-1~deb9u1, as built and tested on stretch, please? [...] > > There were no changes when I opened the bug apart from the new > > changelog entry. > > > > Andreas has since committed 2 small fixes to the changelog as well, > > inlined, just minor clarifications. I still find the way upstream > > compiles their changelog quite confusing and often make mistakes when > > copying over :-) > > > > Kind regards, > > Luca Boccassi > > To further clarify, the debdiff I attached originally is the one from > the source I built and tested on Stretch.
That's rather confusing, given that it had the changelog set to "unstable"... Regards, Adam
