[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFS: Security patch for GitHub CLI client gh

El 30/12/24 a las 19:24, Otto Kekäläinen escribió:

I see you now tagged debian/2.46.0-2 and likely uploaded it.


Yes, as a team upload.

Why were you in such a hurry?


Because CVE-2024-52308 seems grave enough for that, and fixing
it in unstable is usually a prerequisite for a stable fix.


Why couldn't you let the Go team take care of this?


Well, in some sense I did. I joined the Go team to fix things like this.
Mainly in stable, but not only.


You bypassed now both code reviews and uploaded despite failing CI.


I tested the package locally and it built ok while previously it did not,
so your fix for the Glamour v0.8.0 issue seemed correct, and I also
checked that the fix for CVE-2024-52308 matched the upstream fix.

So, the upload seemed good enough given the severity of CVE-2024-52308,
and now we can think about fixing CVE-2024-52308 in stable.

If you think I did wrong, well, I'm sorry.

Thanks.
Reply to: