[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#913801: stretch-pu: package mistral/3.0.0-4 CVE-2018-16849: std.ssh action may disclose presence of arbitrary files

On 12/3/18 8:17 AM, Julien Cristau wrote:
> Control: tag -1 confirmed
> 
> On Thu, Nov 15, 2018 at 02:07:01PM +0100, Thomas Goirand wrote:
>> diff --git a/debian/changelog b/debian/changelog
>> index b2ce8602..06234034 100644
>> --- a/debian/changelog
>> +++ b/debian/changelog
>> @@ -1,3 +1,11 @@
>> +mistral (3.0.0-4+deb9u1) stretch-security; urgency=medium
> 
> Remove the -security bit.

Sure! This was made for the security team, and they asked to move to a
s-p-u instead (ie: no DSA).

>> +
>> +  * CVE-2018-16849: std.ssh action may disclose presence of arbitrary files,
>> +    applied upstream patch: remove extra information from std.ssh action.
>> +    (Closes: #912714).
>> +
>> + -- Thomas Goirand <zigo@debian.org>  Mon, 05 Nov 2018 14:38:44 +0100
>> +
>>  mistral (3.0.0-4) unstable; urgency=medium
>>  
>>    * Add allow-sqla-1.1.patch to allow SQLA transition.
> 
> Other than that, looks ok to upload.

Uploaded. If it gets rejected because of a --force-orig-source, I'll
re-do it (I'm always confused on when to do it, though never mind if it
gets automatically rejected, it's easy to fix...).

Cheers,

Thomas Goirand (zigo)
Reply to: