Bug#947142: buster-pu: package python-oslo.utils/3.36.4-2 CVE-2019-3866
Control: tags -1 + confirmed
Apologies for the delay.
On Sat, 2019-12-21 at 22:13 +0100, Thomas Goirand wrote:
> I'd like to update python-oslo.utils in Buster to address CVE-2019-
> 3866.
> It wasn't possible to apply directly the patch available here:
>
> https://review.opendev.org/692972
>
> and I found too dangerous to skip the commits right before it, which
> are related to this patch. So I just merged upstream branch
> stable/rocky into the Debian package. However, looking closer to all
> patches, either they are all related to the official patch, or are
> cosmetic from the Debian perspective (ie: .gitreview, or upstream CI
> related).
>
> Please find, attached to this bug, the debdiff for the udpate.
>
+python-oslo.utils (3.36.4+2019.11.15.git.c49a426b66-1+deb10u1) buster;
urgency=medium
I'd prefer -0+deb10u1 there, as there was (I presume) never a -1 upload
to Debian.
With that change, please go ahead.
Regards,
Adam
Reply to: