[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New proposed-updates diff: keystone 2012.1.1-13+wheezy1



Hi,

On Fri, 2013-05-10 at 04:01 +0000, Debian Queue Viewer wrote:
> diff -Nru keystone-2012.1.1/debian/changelog keystone-2012.1.1/debian/changelog
> --- keystone-2012.1.1/debian/changelog	2013-02-19 16:11:56.000000000 +0000
> +++ keystone-2012.1.1/debian/changelog	2013-05-10 02:19:29.000000000 +0000
> @@ -1,8 +1,16 @@
> +keystone (2012.1.1-13+wheezy1) wheezy-proposed-updates; urgency=low
> +
> +  * CVE-2013-2059: Keystone tokens not immediately invalidated when user is
> +    deleted [OSSA 2013-011]. Added backported to Essex patch which I picked-up
> +    from Launchpad. Thanks to the Canonical security team (Closes: #707598).

Was this upload discussed with anyone on the release team beforehand?

> + -- Thomas Goirand <zigo@debian.org>  Fri, 10 May 2013 10:09:14 +0800
> +
>  keystone (2012.1.1-13) unstable; urgency=high
>  
>    * CVE-2013-0282: Ensure EC2 users and tenant are enabled (Closes: #700947).
> -  * CVE-2013-0280: Information leak and Denial of Service using XML entities
> -    (Closes: #700948).
> +  * CVE-2013-1664 & CVE-2013-1665: Information leak and Denial of Service using
> +    XML entities (Closes: #700948).

Why isn't this change, and the corresponding noise of renaming and
modifying the patch content, mentioned in the changelog?

Regards,

Adam


Reply to: