Bug#947146: buster-pu: package python-mistral-lib/1.0.0-1 CVE-2019-3866
Hi Thomas
[Disclaimer: not part of the stable release managers, so this reply is
not authoritative]
Thanks for handling CVE-2019-3866 for unstable and buster.
On Sat, Dec 21, 2019 at 11:12:17PM +0100, Thomas Goirand wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian.org@packages.debian.org
> Usertags: pu
>
> Dear Stable Release team,
>
> I'd like to upgrade python-mistral-lib to address CVE-2019-3866,
> which is described in https://bugs.debian.org/946060. Please note
> that this patch is only useful if you also approve the upload of
> python-oslo.utils which I requested in #947142.
>
> Debdiff containing the patch is attached. Note that there's, as
> much as I understand, no need to upgrade Mistral to address this
> CVE (probably it would be needed in Stretch though...), as I believe
> the issue is fully addressed by the update of python-mistral-lib
> (at least, that's my understanding when reading the upstream bug
> entry at https://bugs.launchpad.net/tripleo/+bug/1850843).
Question (which apply as well for the unstable upload which was just
done): the python-mistral-lib patch depends on the fixed version of
python-oslo.utils. Wouldn't that need a versioned dependency
python-oslo.utils?
Regards,
Salvatore
Reply to: