On Mon, May 08, 2017 at 05:10:28PM -0400, Kei Kebreau wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> > On Mon, May 08, 2017 at 03:07:14PM -0400, Kei Kebreau wrote:
> >> Fixes CVE-2016-{10209,10350} and CVE-2017-5601.
> >> 
> >> * gnu/packages/backup.scm (libarchive): Update to 3.3.1.
> >
> > Thanks!
> >
> > Can you use a graft instead? Then, the commit message can be like this:
> >
> > gnu: libarchive: Replace with 3.3.1 [security fixes].
> >
> > Fixes CVE-2016-{10209,10350}, CVE-2017-5601.
> >
> > * gnu/packages/backup.scm (libarchive)[replacement]: New field.
> > (libarchive-3.3.1): New variable.
> 
> Like the patch I've attached?

> From 45d3157bb61bb8b5f26ff13feb672759b6043e6f Mon Sep 17 00:00:00 2001
> From: Kei Kebreau <kei@openmailbox.org>
> Date: Mon, 8 May 2017 14:58:07 -0400
> Subject: [PATCH] gnu: libarchive: Replace with 3.3.1 [security fixes].
> To: 26836@debbugs.gnu.org
> 
> Fixes CVE-2016-{10209,10350} and CVE-2017-5601.
> 
> * gnu/packages/backup.scm (libarchive)[replacement]: New field.
> (libarchive-3.3.1): New variable.

Thanks, LGTM!