-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pierre Joye wrote: > Hello, > > On 1/2/07, Jonas Smedegaard <[EMAIL PROTECTED]> wrote: > >> >> While checking the current bug in debian libgd, I found the gnuplot >> >> one (#368096). >> > >> > I forgot to mention that it does not segfault using CVS but using >> debian >> > libgd. >> >> I am happy to hear that. >> >> I was made aware of the new upstream CVS code only a few days ago, but >> has hesitated switching to that, as I found no mention of fixes to the >> following publicly announced security issues: >> >> CAN-2004-0990: http://bugs.debian.org/278625 > > Fixed, there is a overflow2 check now (gd_png.c line 319). > >> CVE-2006-2906: http://bugs.debian.org/372912 > > Fixed, see #5 in libgd/ISSUES.
Excellent! Thanks for the confirmation. >> Please confirm (preferrably directly to those bugreports) that the >> current code in fact is not vulnerable to those issues, and I will be >> most happy to switch. > > Is it possible to do not mix all discussions in one bug report? It > will be confusing very quickly. Most certainly. The intend was indeed for you to not respond here, but at those respective bugreports instead. I have done it now. If you reply to this email, then please target only the bugreports relevant to what you want to comment on. And no need to cc me when mailing bugreports: The package maintainer automatically gets a copy. I just want a single public place to place our conversation, and a single reference in each relevant bugreport to where that place is. > I'm installing the issues tracker, it > should be online tonight, I would like to centralize all issues there, > is it ok for you? (you can obviously keep the debian tracker but it > will really ease our lifes if we centralize gd bugs in the gd > project). I will happily use that issue tracker of yours as soon as it is up and running. Ideally you should not need to worry about the Debian issue tracker at all. It is my job as package maintainer to juggle with multiple issue tracking systems and multiple upstream developers. Not yours as upstream developer. Looking forward to your having an issue tracker of your own :-) - Jonas - -- * Jonas Smedegaard - idealist og Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ - Enden er nær: http://www.shibumi.org/eoti.htm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFmpGen7DbMsAkQLgRAjz1AJ96WuY2EFGGiZYEvnl170gTgcLFWgCeKvB1 vvc+tMYOq00Cy8i/e0blJcw= =4sCZ -----END PGP SIGNATURE-----
