On Fri, Dec 10, 2010 at 07:45:18PM +0100, Moritz Muehlenhoff wrote:
On Thu, Dec 09, 2010 at 10:48:46PM -0500, Michael Gilbert wrote:I've isolated and applied the patches needed to fix CVE-2010-2055 in ghostscript. See attached debdiff.Would anyone be so kind to sponsor this? The package is at: http://mentors.debian.net/debian/pool/main/g/ghostscript/I don't have time to sponsor this currently, but this should be uploaded with urgency=low, since there's the potential that applications rely on the old, broken behaviour. I also remember that Jonas is still considering to introduce Ghostscript 9.0 into Squeeze. Jonas, what's the current status?
Michael is right - release team apparently was following my work and turned it down even before formally proposing it: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584653#132
@Michael: Sorry, I won't sponsor your patch. As stated earlier as well, I consider myself incompetent juggling any more patches on top of the 8.71 stack.
You are quite welcome to join the ghostscript packaging team and take responsibility of it yourself - for the full duration of the next stable release cycle!
The packaging currently in experimental contains the minimal changeset I felt comfortable releasing for Debian Squeeze. Now that it has been turned down, my plan is to use the experimental branch for a continued improvements cherry-picked from upstream VCS. If the release team should change their minds, it is easy for me to revive the current work and release it for unstable - if not (or the release of Squeeze) I will avoid the unstable branch.
Kind regards, and thanks anyway for your contribution, - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: Digital signature
