Re: New proposed-updates diff: keystone 2012.1.1-13+wheezy1
Hi,
On Fri, 2013-05-10 at 04:01 +0000, Debian Queue Viewer wrote:
> diff -Nru keystone-2012.1.1/debian/changelog keystone-2012.1.1/debian/changelog
> --- keystone-2012.1.1/debian/changelog 2013-02-19 16:11:56.000000000 +0000
> +++ keystone-2012.1.1/debian/changelog 2013-05-10 02:19:29.000000000 +0000
> @@ -1,8 +1,16 @@
> +keystone (2012.1.1-13+wheezy1) wheezy-proposed-updates; urgency=low
> +
> + * CVE-2013-2059: Keystone tokens not immediately invalidated when user is
> + deleted [OSSA 2013-011]. Added backported to Essex patch which I picked-up
> + from Launchpad. Thanks to the Canonical security team (Closes: #707598).
Was this upload discussed with anyone on the release team beforehand?
> + -- Thomas Goirand <zigo@debian.org> Fri, 10 May 2013 10:09:14 +0800
> +
> keystone (2012.1.1-13) unstable; urgency=high
>
> * CVE-2013-0282: Ensure EC2 users and tenant are enabled (Closes: #700947).
> - * CVE-2013-0280: Information leak and Denial of Service using XML entities
> - (Closes: #700948).
> + * CVE-2013-1664 & CVE-2013-1665: Information leak and Denial of Service using
> + XML entities (Closes: #700948).
Why isn't this change, and the corresponding noise of renaming and
modifying the patch content, mentioned in the changelog?
Regards,
Adam
Reply to: