Re: New proposed-updates diff: otrs2 3.3.9-3+deb8u1
Am 08.06.2017 um 18:44 schrieb Adam D. Barratt:
> On 2017-06-08 11:02, Debian Queue Viewer wrote:
>> Version in base suite: 3.3.9-3
>>
>> Base version: otrs2_3.3.9-3
>> Target version: otrs2_3.3.9-3+deb8u1
> [...]
>> +otrs2 (3.3.9-3+deb8u1) jessie-security; urgency=high
>> +
>> + * Add patch 17-CVE-2017-9324:
>> + This fixes OSA-2017-03, also known as CVE-2017-9324: An attacker
>> with
>> + agent permission is capable by opening a specific URL in a
>> browser to
>> + gain administrative privileges / full access. Afterward, all system
>> + settings can be read and changed.
>> + Closes: #864319
>
> I'm afraid that I'm confused by this upload.
>
> It claims to be for stable-security, but was uploaded directly to
> ftp-master. If it's for security, then it should have been uploaded to
> the security queues.
>
> If, on the other hand, this was intended for proposed-updates then a)
> the distribution should be "jessie", not "jessie-security" and b) it
> should have been discussed in a p-u bug, not simply uploaded.
>
> Regards,
>
> Adam
Hi Adam,
yes -security is aware of it. On my first try I have uploaded everthing
to ftp-master :/
Reply to: