Bug#903037: stretch-pu: package git-annex/6.20170101-1+b1

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

Control: tags -1 + confirmed
Control: severity -1 normal

On Thu, 2018-07-05 at 13:59 +0100, Sean Whitton wrote:
> Package: release.debian.org
> Severity: important

p-u bugs (in fact, basically all release.d.o bugs) are "normal" at
most. There's no impact on the usability of the pseudo-package.

> git-annex in stretch is vulnerable to CVE-2018-10857 and
> CVE-2018-10859.  This update is a minimal fix for those CVEs prepared
> by its upstream, Joey Hess:

Please go ahead.

> (ii) there is already a +deb9u1 version of git-annex in
>      stretch-security, but not stretch, responding to a different
> CVE.
> 
>      I have based my work on the +deb9u1 upload, and I assume that
>      uploading my +deb9u2 to stretch-proposed-updates will cause it
> to
>      take precedence over the import of the +deb9u1 upload.

That's correct. The reason that the -security upload isn't already in
proposed-updates is that it used a different .orig tarball from that
uploaded to the main archive, causing the sync to fail.

Regards,

Adam