Bug#928291: unblock: signing-party/2.10-1

To: Guilhem Moulin <guilhem@debian.org>, 928291@bugs.debian.org
Subject: Bug#928291: unblock: signing-party/2.10-1
From: Ivo De Decker <ivodd@debian.org>
Date: Sun, 5 May 2019 14:44:31 +0200
Message-id: <[🔎] 20190505124430.vaowxvbb6mdzev63@debian.org>
Reply-to: Ivo De Decker <ivodd@debian.org>, 928291@bugs.debian.org
In-reply-to: <[🔎] 20190501114408.GA8345@debian.org>
References: <[🔎] 20190501104612.GA23900@debian.org> <[🔎] 20190501114408.GA8345@debian.org> <[🔎] 20190501104612.GA23900@debian.org>

Control: tags -1 moreinfo confirmed

Hi,

On Wed, May 01, 2019 at 01:44:08PM +0200, Guilhem Moulin wrote:
> On Wed, 01 May 2019 at 12:46:12 +0200, Guilhem Moulin wrote:
> > gpg-key2ps(1) from signing-party 2.9-1 is vulnerable to CVE-2018-15599:
> > unsafe shell call enabling shell injection via a User ID.
> 
> Erm that should be CVE-2019-11627, and the changelog is wrong as well.
> Would you like me to upload a 2.10-1 with a fixed debian/changelog?

You can't upload 2.10-1 again, so that would need to be 2.10-2. In that case,
please don't include the 2.10-1 entry in the changelog, to make sure the wrong
CVE number isn't in there.

If you do so, please remove the moreinfo tag from this bug once the new
package is in unstable. Otherwise, you can remove the moreinfo tag and ask for
this version to be unblocked as well.

Thanks,

Ivo

Reply to:

Follow-Ups:
- Bug#928291: unblock: signing-party/2.10-1
  - From: Guilhem Moulin <guilhem@debian.org>

References:
- Bug#928291: unblock: signing-party/2.10-1
  - From: Guilhem Moulin <guilhem@debian.org>
- Bug#928291: unblock: signing-party/2.10-1
  - From: Guilhem Moulin <guilhem@debian.org>

Prev by Date: Bug#928280: marked as done (unblock: hyperic-sigar/1.6.4+dfsg-4)
Next by Date: Processed: Re: unblock: signing-party/2.10-1
Previous by thread: Bug#928291: unblock: signing-party/2.10-1
Next by thread: Bug#928291: unblock: signing-party/2.10-1
Index(es):
- Date
- Thread