Changes until version 2.7.4: * When a file isn't being deleted because the file contents don't match the patch, the resulting message is now "Not deleting file ... as content differs from patch" instead of "File ... is not empty after patch; not deleting". * Function names in hunks (from diff -p) are now preserved in reject files. * Patch no longer follows symbolic links to input and output files. This ensures that symbolic links created by git-style patches cannot cause patch to write outside the working directory (CVE-2015-1196). * Various fixes.
+*patch-2.7.4 (01 Feb 2015) + + 01 Feb 2015; Lars Wendler <polynomial-c@gentoo.org> -patch-2.7.1-r3.ebuild, + -patch-2.7.2.ebuild, +patch-2.7.4.ebuild, + -files/patch-2.7.1-Fix-removing-empty-directories.patch, + -files/patch-2.7.1-dry-run-mode-create-temp-files-in-temp-dir.patch, + -files/patch-2.7.1-initialize_data_structures_early_enough.patch, + -files/patch-2.7.1-prevent_depend_on_autotools.patch: + Version bump (bug #538426). Removed old. +
sorry for the noise, I'm confused here. The changelog posted above indicates that CVE-2015-1196 is fixed in 2.7.4. However CVE-2015-1196 is already handled in #536614 - however there it is indicated this is fixed in 2.7.3. Seems the upstream NEWS file is not really clear which issue was fixed in which version. Do we need fast-track stabilization of 2.7.4 for security reasons?
(In reply to Hanno Boeck from comment #2) > sorry for the noise, I'm confused here. The changelog posted above indicates > that CVE-2015-1196 is fixed in 2.7.4. However CVE-2015-1196 is already > handled in #536614 - however there it is indicated this is fixed in 2.7.3. Yes, that's why I didn't tag this onto the security bug report. > Seems the upstream NEWS file is not really clear which issue was fixed in > which version. Do we need fast-track stabilization of 2.7.4 for security > reasons? Not if the other bug handles this. We could retroactively fix the NEWS file. :)