Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1
On Thu, Aug 08, 2019 at 09:53:16AM +0100, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
>
> On 2019-08-08 08:47, Arnaud Rebillout wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: buster
> > User: release.debian.org@packages.debian.org
> > Usertags: pu
> >
> > The debdiff attached brings in an upstream patch to fix
> > CVE-2019-1020014, hence closes #933801.
> >
> > This is my first contribution to Debian Stable, please check for
> > beginners mistake ;)
> >
> > Also, the devel-announce "Bits from the Stable Release Managers"
> > mentions:
> >
> > * Fixes for security issues should be co-ordinated with the
> > Security Team, unless they have explicitly stated that they
> > will not issue an DSA for the bug (e.g. via a "no-dsa" marker
> > in the Security Tracker) [SECURITY-TRACKER]
> >
> > So, is there anything else I should do here? Like, CC them or something?
>
> Yes, *before* filing this bug, as if the Security Team want to handle it
> then this bug shouldn't exist to begin with.
>
> I've CCed them now, let's see what they say.
It's harmless, stable-proposed-updates sounds good. I'll mark it as no-dsa
in the security tracker.
Cheers,
Moritz
Reply to: