Re: New proposed-updates diff: otrs2 3.3.9-3+deb8u1

To: Patrick Matthäi <pmatthaei@debian.org>
Cc: debian-release@lists.debian.org
Subject: Re: New proposed-updates diff: otrs2 3.3.9-3+deb8u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Thu, 08 Jun 2017 17:44:28 +0100
Message-id: <[🔎] 77af8de5321d163a84e118c5be21e715@mail.adam-barratt.org.uk>
In-reply-to: <E1dIuGy-0000wt-GU@coccia.debian.org>
References: <E1dIuGy-0000wt-GU@coccia.debian.org>

On 2017-06-08 11:02, Debian Queue Viewer wrote:

Version in base suite: 3.3.9-3

Base version: otrs2_3.3.9-3
Target version: otrs2_3.3.9-3+deb8u1

[...]

+otrs2 (3.3.9-3+deb8u1) jessie-security; urgency=high
+
+  * Add patch 17-CVE-2017-9324:
+ This fixes OSA-2017-03, also known as CVE-2017-9324: An attackerwith+ agent permission is capable by opening a specific URL in a browserto+ gain administrative privileges / full access. Afterward, allsystem
+    settings can be read and changed.
+    Closes: #864319


I'm afraid that I'm confused by this upload.

It claims to be for stable-security, but was uploaded directly toftp-master. If it's for security, then it should have been uploaded tothe security queues.

If, on the other hand, this was intended for proposed-updates then a)the distribution should be "jessie", not "jessie-security" and b) itshould have been discussed in a p-u bug, not simply uploaded.


Regards,

Adam

Reply to:

Follow-Ups:
- Re: New proposed-updates diff: otrs2 3.3.9-3+deb8u1
  - From: Patrick Matthäi <pmatthaei@debian.org>

Prev by Date: Bug#863915: Please test webkit2gtk 2.16.3-2 with your packages for stretch now!
Next by Date: Re: New proposed-updates diff: otrs2 3.3.9-3+deb8u1
Previous by thread: Processed: Re: Bug#864427: pu: package irssi/1.0.2-1+deb9u1
Next by thread: Re: New proposed-updates diff: otrs2 3.3.9-3+deb8u1
Index(es):
- Date
- Thread