On Mon, Feb 9, 2015 at 1:00 AM, Thomas Caswell <tca...@gm...> wrote: > Sorry about the bad tarball, I forgot to clean my git directory before > generating it. Another point in favor of using the gh tarball, I can't > screw it up. I switch to GH tarball, but I must say they are a lot different than the SF ones (now we have 3 copies of the examples in doc/mpl_examples lib/mpl_examples and examples) and contains quite a lot more files (like the whole unit/ tree) and development files (.travis, .gitignore and friends), but if that's a more reliable way to get new tarball, I'm all for it - let's use this in the future :) > This is the first I have seen that CVE. > > That PR is not included in 1.4.3 because it completely over-hauls how the > Agg rendering works (and generated a whole bunch of other bugs along the > way). > > Mike: Is there a way to fix up the security issues reported on just the > 1.4.x branch with out pulling that whole patch back? there is a patch[1] attached to the Debian bug[2], I'm about to apply to the package and see how it goes, you might want to investigate+apply it in the final release [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=matplotlib-printf-buffer-overrun.patch;att=1;bug=775691 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775691 Cheers, -- Sandro Tosi (aka morph, morpheus, matrixhasu) My website: http://matrixhasu.altervista.org/ Me at Debian: http://wiki.debian.org/SandroTosi