Bug#947146: buster-pu: package python-mistral-lib/1.0.0-1 CVE-2019-3866
On 12/21/19 11:34 PM, Salvatore Bonaccorso wrote:
> Hi Thomas
>
> [Disclaimer: not part of the stable release managers, so this reply is
> not authoritative]
>
> Thanks for handling CVE-2019-3866 for unstable and buster.
>
> On Sat, Dec 21, 2019 at 11:12:17PM +0100, Thomas Goirand wrote:
>> Package: release.debian.org
>> Severity: normal
>> Tags: buster
>> User: release.debian.org@packages.debian.org
>> Usertags: pu
>>
>> Dear Stable Release team,
>>
>> I'd like to upgrade python-mistral-lib to address CVE-2019-3866,
>> which is described in https://bugs.debian.org/946060. Please note
>> that this patch is only useful if you also approve the upload of
>> python-oslo.utils which I requested in #947142.
>>
>> Debdiff containing the patch is attached. Note that there's, as
>> much as I understand, no need to upgrade Mistral to address this
>> CVE (probably it would be needed in Stretch though...), as I believe
>> the issue is fully addressed by the update of python-mistral-lib
>> (at least, that's my understanding when reading the upstream bug
>> entry at https://bugs.launchpad.net/tripleo/+bug/1850843).
>
> Question (which apply as well for the unstable upload which was just
> done): the python-mistral-lib patch depends on the fixed version of
> python-oslo.utils. Wouldn't that need a versioned dependency
> python-oslo.utils?
>
> Regards,
> Salvatore
Hi,
There's currently no dependency at all on python3-oslo.utils, because
it's not completely needed. It looks like it is needed only some usage
of Mistral only (like the one TripleO is doing), when calling
generate_unicode_uuid(), is_valid_uuid() or utc_now_sec() from
mistral_lib.utils.
So no, I don't think we should add an artificial hard runtime dependency
on oslo.utils, as long as upstream isn't doing it in requirements.txt.
Your thoughts?
Cheers,
Thomas Goirand (zigo)
Reply to: