On 2019-08-08 19:09, Moritz Mühlenhoff wrote:
On Thu, Aug 08, 2019 at 09:53:16AM +0100, Adam D. Barratt wrote:Control: tags -1 + moreinfo On 2019-08-08 08:47, Arnaud Rebillout wrote:
[...]
> The debdiff attached brings in an upstream patch to fix > CVE-2019-1020014, hence closes #933801.
[...]
> * Fixes for security issues should be co-ordinated with the > Security Team, unless they have explicitly stated that they > will not issue an DSA for the bug (e.g. via a "no-dsa" marker > in the Security Tracker) [SECURITY-TRACKER]
[...]
I've CCed them now, let's see what they say.It's harmless, stable-proposed-updates sounds good. I'll mark it as no-dsain the security tracker.
Thanks for the confirmation. The module apparently has three reverse build-dependencies:amazon-ecr-credential-helper: golang-github-docker-docker-credential-helpers-dev
docker-pycreds: golang-docker-credential-helpersdocker.io: golang-github-docker-docker-credential-helpers-dev (>= 0.6.1~)
Would this update imply any of those needing to be rebuilt? If so, is that the end of the tree, or do we end up down a rabbit hole of Go libraries?
Regards, Adam