[Secure-testing-team] Embedded ICU copy in texlive-bin (was: [SECURITY] [DSA 1889-1] New icu packages correct multibyte sequence parsing)
Michael Gilbert
michael.s.gilbert at gmail.com
Thu Sep 17 16:09:59 UTC 2009
On Thu, 17 Sep 2009 14:11:16 +0200, Frank Küster wrote:
> Hi,
>
> This DSA made me aware that there might be a problem in texlive. It
> contains a changed copy of libicu; the changes are needed by xetex, and
> xetex upstream intends to have them merged. But for the time being, the
> code copy is there.
>
> I fear I won't have time to work on a security update of texlive right
> now, and Norbert is busy as well.
>
> I have added the information to embedded-code-copies, a diff (which also
> includes some more TeXLive-related corrections) is attached.
thanks for the info. a couple questions:
1. why should texlive-base be removed from the xpdf embeds? its
already being tracked as fixed.
2. if there is no build-dep for texlive-bin on t1, how are you sure that
that link is being done correctly, and not falling back on the embed?
also note that <unknown> means that the issue is fixed, we just don't
know which version is the first that had the fix, so those issues
shouldn't be marked <not-affected>.
mike
More information about the Secure-testing-team
mailing list