Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
- To: Xavier <yadd@debian.org>, 947758@bugs.debian.org, Mattia Rizzolo <mattia@debian.org>
- Cc: Paul Gevers <elbrus@debian.org>
- Subject: Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Tue, 07 Jul 2020 19:04:11 +0100
- Message-id: <[🔎] 8a3fab23e7a32a8df01ce8c410e9134e9cc7fc39.camel@adam-barratt.org.uk>
- Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 947758@bugs.debian.org
- In-reply-to: <ca230b5a-12af-48a8-afcc-409778cb6a90@debian.org>
- References: <f332b8014193963568e9ba2ad92ffcc75305b8d6.camel@adam-barratt.org.uk> <3361180f-be1d-8801-f484-239b4ae5301e@debian.org> <3361180f-be1d-8801-f484-239b4ae5301e@debian.org> <157768871379.678655.1820481871895083744.reportbug@deb007.xnr.fr> <877f2e39-a357-8eae-01c5-a57d8f1af99c@debian.org> <7bdcf9dec6bc1f20a13c188e1806cec74f3d2a50.camel@adam-barratt.org.uk> <4c02f7c4-71d2-1379-6f39-f7b96165aecf@debian.org> <76927e4295e5ccb6d5020b1fe0c9fd6c286d8bca.camel@adam-barratt.org.uk> <157768871379.678655.1820481871895083744.reportbug@deb007.xnr.fr> <2e34fc23-512f-8acc-960d-0d478b0b99bf@debian.org> <20200504165326.GU1318501@mapreri.org> <157768871379.678655.1820481871895083744.reportbug@deb007.xnr.fr> <ca230b5a-12af-48a8-afcc-409778cb6a90@debian.org> <157768871379.678655.1820481871895083744.reportbug@deb007.xnr.fr>
Control: tags -1 -pending +confirmed
On Mon, 2020-05-04 at 22:02 +0200, Xavier wrote:
> Le 04/05/2020 à 18:53, Mattia Rizzolo a écrit :
> > Hi,
> >
> > let me reply before adsb has a chance ;)
> >
> > On Mon, May 04, 2020 at 02:24:20PM +0200, Xavier wrote:
> > > Finally I found a way to fix CVE and keep autopkgtest OK
> > > (node-markdown-it-html5-embed). Here is a debdiff for a future
> > > point release
> >
> > This is good, however,
> >
> > > diff --git a/debian/changelog b/debian/changelog
> > > index b985661..64df8db 100644
> > > --- a/debian/changelog
> > > +++ b/debian/changelog
> > > @@ -1,3 +1,11 @@
> > > +node-handlebars (3:4.1.0-1+deb10u1) buster; urgency=medium
> > > +
> > > + * Team upload
> > > + * Disallow calling "helperMissing" and "blockHelperMissing"
> > > directly
> > > + (Closes: CVE-2019-19919)
> > > +
> > > + -- Xavier Guimard <yadd@debian.org> Mon, 04 May 2020 14:21:11
> > > +0200
> >
> > By now 3:4.1.0-1+deb10u1 is already accepted in p-u, built and all,
> > and
> > it can't really be removed from there and replaced by a same-
> > versined
> > pacakge.
> >
> > Please prepare a +deb10u2 version, and post here a debdiff against
> > the
> > already uploaded +deb10u1 one.
>
> Is it good so ?
Sorry for the delay. Please feel free to go ahead.
Regards,
Adam
Reply to: