Disregard my previous response. Red Hat and SUSE have both taken the patch from the bugzilla issue that upstream rejected, so I will do so as well. Uploading momentarily.
Jay Berkenbilt <q...@debian.org> wrote: > Moritz Muehlenhoff <muehlenh...@univention.de> wrote: > >> Package: tiff >> Severity: grave >> Tags: security >> Justification: user security hole >> >> Please see: >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3087 >> >> This patch should fix it: >> http://bugzilla.maptools.org/show_bug.cgi?id=2140 > > Upstream rejected the patch in their bug 2140, and the patch's author > said it was only a partial fix. The CVE references a bug in Novell's > bugzilla, but even after creating an account, I don't have access to > read the bug. So I'm really not sure what to do here. I could just > blindly accept the patch, but then I'm permanently deviating from > upstream. Should I discuss with upstream? I could grab Red Hat's > latest SRPM and see how long they've been using this patch, or I could > dig through upstream's CVS repository and see what the status is there. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
