Bug#925595: unblock: flatpak/1.2.4-1 (pre-approval) or 1.2.3-2 (unblock)
Control: tags -1 confirmed moreinfo
Simon McVittie:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
>
> I would like to follow the 1.2.x stable-branch of flatpak in buster for
> as long as it's maintained upstream, similar to what I did with 0.8.x
> in stretch. Are the release team happy with this in principle?
>
> In the short term, this means uploading flatpak 1.2.4 to unstable. It
> fixes CVE-2019-10063 (incomplete defence against command injection with
> TIOCSTI) and some non-security bugs. I attach a proposed diff: may I
> upload this if my tests are successful?
>
> If 1.2.4 is not acceptable, please unblock 1.2.3-2 instead, to fix
> CVE-2019-10063 but not the non-security bugs (I already uploaded that
> version). I've attached the debdiff for that too.
>
> See also #925569, the corresponding stable-update.
>
> Thanks,
> smcv
>
Hi,
Please go with 1.2.4 and remove the moreinfo tag when it is ready to be
unblocked.
Thanks,
~Niels
Reply to: