Hi Chris, On Wed, Feb 05, 2014 at 04:31:07PM -0500, Chris Knadle wrote: > On Wednesday, February 05, 2014 22:16:32 Salvatore Bonaccorso wrote: > > Hi Chris, > > > > On Wed, Feb 05, 2014 at 11:09:00AM -0500, Chris Knadle wrote: > > > On Wednesday, February 05, 2014 16:10:36 Salvatore Bonaccorso wrote: > > > > Source: mumble > > > > Version: 1.2.3-349-g315b5f5-2.2 > > > > Severity: grave > > > > Tags: security upstream fixed-upstream > > > > > > > > Hi > > > > > > > > Mumble has released a new upstream version fixing CVE-2014-0044 and > > > > CVE-2014-0045. See upstream commits at: > > > > > > > > https://github.com/mumble-voip/mumble/commit/850649234d11685145193a59d72 > > > > d984 29e4f9ba7 > > > > https://github.com/mumble-voip/mumble/commit/d3be3d7b96a5130e4b20f23e327 > > > > b04 > > > > 0ea4d0b079 > > > > > > > > Upstream announces at > > > > > > > > http://mumble.info/security/Mumble-SA-2014-001.txt > > > > http://mumble.info/security/Mumble-SA-2014-002.txt > > > > > > > > Regards, > > > > Salvatore > > > > > > Thanks for fixing this. > > > > > > As these commits were authored only 5 days ago I'd think the current > > > 1.2.4-0.1 package in Sid and Jessie have this issue too, unless there's > > > some other mitigating factor with the stable 1.2.4 version. > > > > Yes it is also as it's supporting Opus; reason is that I concentrated > > first on the wheezy-security upload. > > Okay. Currently there's ABI breakage in protobuf 2.5.0-7 which will be fixed > with the -9 upload once it's finished being built; I have to wait for that > before we can upload a new 1.2.4 mumble package fixes. I've got both of the > CVE patches queued for the next upload which I'm looking to do this weekend, > but if you'd like to do a security fix on 1.2.4-0.1 after the protobuf -9 > build go ahead and do so.
Thanks for the update. So then I will stop preparing also the packages for unstable now! Thanks for working on it! Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
