On Sat, Apr 26, 2025 at 11:36:46AM +0200, Salvatore Bonaccorso wrote: > Hi Peter, > > On Sat, Apr 26, 2025 at 09:20:46AM +0000, Debian FTP Masters wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA512 > > > > Format: 1.8 > > Date: Sat, 26 Apr 2025 11:34:57 +0300 > > Source: libarchive > > Architecture: source > > Version: 3.7.4-2 > > Distribution: unstable > > Urgency: high > > Maintainer: Peter Pentchev <r...@debian.org> > > Changed-By: Peter Pentchev <r...@debian.org> > > Closes: 1103494 > > Changes: > > libarchive (3.7.4-2) unstable; urgency=high > > . > > * Acknowledge NMU; thanks, Salvatore! > > * Point to the debian/trixie branch in the gbp.conf file since > > the master branch in the repository already contains changes that > > did not make it in time for the Trixie freeze. > > * Add the CVE-2025-1632 patch. Closes: #1103494 > > * Add the year 2025 to my debian/* copyright notice. > > Was there a reason not to pick the upstream commited > https://github.com/libarchive/libarchive/commit/8ce2aca6c7d6f004f860c6619cb6cc98d51ac69a > ?
That was actually a very good question. The only reason I can give you is that I had a bit of a neuron misfire and made a silly mistake - I had two versions of the patch ready for testing and somehow I forgot which one was which, and I kept forgetting even after adding it to my copy of the package. So, yeah... Later today or tomorrow I will upload a new version of libarchive with the upstream patch instead of this one, Thanks a lot for catching this, I really have no idea how it happened. G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@debian.org pe...@morpheusly.com PGP key: https://www.ringlet.net/roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
signature.asc
Description: PGP signature
