[Pkg-varnish-devel] Bug#728989: Bug#728989: Bug#728989: Bug#728989: varnish: CVE-2013-4484

[Salvatore Bonaccorso]

Hi,

On Mon, Dec 09, 2013 at 10:12:01AM +0100, Stig Sandbeck Mathisen wrote:
> Salvatore Bonaccorso <carnil at debian.org> writes:
> 
> > Thanks! Could you please upload them to security-master (needs to be
> > built with -sa as it's the first upload for varnish for both
> > squeeze-security and wheezy-security).
> 
> It will be done.

Thanks! (will release the DSA later hopefully when all builds are
done).

> > Btw, I would have prefered for review if the patch could be applied
> > separately via debian/patches/series (I think also Stable Release
> > Managers would prefer that way when it will hit pu-NEW ;-)).
> >
> > The debdiff for squeeze-security does not apply cleanly here on top of
> > 2.1.3-8, due to same changes removed as added; but the diff part for
> > #728989 for debian-changes-2.1.3-8+deb6u1 looks good.
> 
> Handling upstream changes in git, either directly on the packaging
> branch or as a patch branch used by debian/source/git-changes, helps
> keep this package maintainer sane.
> 
> However, I see that it makes the package much harder to review when
> looking at debdiffs to verify changes.
> 
> Is there anything else I can do to help review changes, when uploading
> new changes to *-security?

Yes understand that. I think there is simply the problem here as the
package uses 3.0 (quilt) source package format, but unifies the whole
diff in a single debian-changes-$version (and this changes it's name
for each version).

Don't worry tough. If you can also add the relevant patches in
addition to the debdiff this will help.

My problem with the above was also primarly as the debdiff sent did
not apply on top of 2.1.3-8, when unpacking the source and applying
the debdiff.

Regards,
Salvatore