Bug#913801: stretch-pu: package mistral/3.0.0-4 CVE-2018-16849: std.ssh action may disclose presence of arbitrary files
On 12/3/18 8:17 AM, Julien Cristau wrote:
> Control: tag -1 confirmed
>
> On Thu, Nov 15, 2018 at 02:07:01PM +0100, Thomas Goirand wrote:
>> diff --git a/debian/changelog b/debian/changelog
>> index b2ce8602..06234034 100644
>> --- a/debian/changelog
>> +++ b/debian/changelog
>> @@ -1,3 +1,11 @@
>> +mistral (3.0.0-4+deb9u1) stretch-security; urgency=medium
>
> Remove the -security bit.
Sure! This was made for the security team, and they asked to move to a
s-p-u instead (ie: no DSA).
>> +
>> + * CVE-2018-16849: std.ssh action may disclose presence of arbitrary files,
>> + applied upstream patch: remove extra information from std.ssh action.
>> + (Closes: #912714).
>> +
>> + -- Thomas Goirand <zigo@debian.org> Mon, 05 Nov 2018 14:38:44 +0100
>> +
>> mistral (3.0.0-4) unstable; urgency=medium
>>
>> * Add allow-sqla-1.1.patch to allow SQLA transition.
>
> Other than that, looks ok to upload.
Uploaded. If it gets rejected because of a --force-orig-source, I'll
re-do it (I'm always confused on when to do it, though never mind if it
gets automatically rejected, it's easy to fix...).
Cheers,
Thomas Goirand (zigo)
Reply to: