>>>>> "HC" == Hugo Cisneiros <hugo@xxxxxxxxxxxx> writes: HC> It seems that the SVN version is ok, but I'm not a programmer to HC> make a patch only to fix this vulnerability. Upstream should be pretty well qualified to help you out here; have you contacted them? (I guess you must have; they seem to have taken a patch from you.) HC> An option would be to create and apply a patch to update the HC> entire version to SVN instead of only the vulnerability fix. That's rather suboptimal, but would work if nothing else does. You have to be careful that it's not less stable and doesn't break existing configurations. Ideally you'd just get a patch that fixes the issue. One possibility if upstream won't or can't help you is to go though their SVN tree and look for a commit that indicates it fixes the security issue. You may get lucky and can find something obvious, but it assumes that upstream provides useful comments. When I reported that CVE I did spend a little time looking through their tree but nothing jumped out of me. I just looked again; try looking at revisions 928, 929 and other revisions around that time. They seem to be related, although there are a lot of patches. Many of them seem to be trivial changes; perhaps you can pick out the fix. http://svn.berlios.de/viewcvs/netpanzer?rev=928&view=rev HC> If applying the patch to update entirely to the svn version, I HC> must change the entire package's version or change only the HC> release field in the specfile? I would indicate the version change; the naming guidelines have information on how to name snapshot packages: http://fedoraproject.org/wiki/Packaging/NamingGuidelines#head-cfd71146dbb6f00cec9fe3623ea619f843394837 - J< -- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
