Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

To: Arnaud Rebillout <arnaud.rebillout@collabora.com>
Cc: Moritz Mühlenhoff <jmm@inutil.org>, 934206@bugs.debian.org, team@security.debian.org
Subject: Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Fri, 09 Aug 2019 11:15:07 +0100
Message-id: <[🔎] 36d66e2856fc4ddf0960145d689bc0b7@mail.adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 934206@bugs.debian.org
In-reply-to: <[🔎] 20190808180906.GA18827@pisco.westfalen.local>
References: <[🔎] 156525047577.16101.8153094058534261452.reportbug@xps> <[🔎] 9dcb2409e3556f7b5dae0c0e52a87ffa@mail.adam-barratt.org.uk> <[🔎] 20190808180906.GA18827@pisco.westfalen.local> <[🔎] 156525047577.16101.8153094058534261452.reportbug@xps>

On 2019-08-08 19:09, Moritz Mühlenhoff wrote:

On Thu, Aug 08, 2019 at 09:53:16AM +0100, Adam D. Barratt wrote:

Control: tags -1 + moreinfo

On 2019-08-08 08:47, Arnaud Rebillout wrote:

[...]

> The debdiff attached brings in an upstream patch to fix
> CVE-2019-1020014, hence closes #933801.

[...]

>    * Fixes for security issues should be co-ordinated with the
>      Security Team, unless they have explicitly stated that they
>      will not issue an DSA for the bug (e.g. via a "no-dsa" marker
>      in the Security Tracker) [SECURITY-TRACKER]

[...]

I've CCed them now, let's see what they say.
It's harmless, stable-proposed-updates sounds good. I'll mark it asno-dsa
in the security tracker.


Thanks for the confirmation.

The module apparently has three reverse build-dependencies:

amazon-ecr-credential-helper:golang-github-docker-docker-credential-helpers-dev

docker-pycreds: golang-docker-credential-helpers

docker.io: golang-github-docker-docker-credential-helpers-dev (>=0.6.1~)

Would this update imply any of those needing to be rebuilt? If so, isthat the end of the tree, or do we end up down a rabbit hole of Golibraries?


Regards,

Adam

Reply to:

Follow-Ups:
- Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1
  - From: Arnaud Rebillout <arnaud.rebillout@collabora.com>

References:
- Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1
  - From: Arnaud Rebillout <arnaud.rebillout@collabora.com>
- Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Bug#934300: buster-pu: package apt/1.8.3~deb10u1
Next by Date: Processed: #934132: Raise severity to important
Previous by thread: Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1
Next by thread: Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1
Index(es):
- Date
- Thread