Control: block 1033341 by -1 Dear Salvatore and release team, Salvatore Bonaccorso <carnil@debian.org> writes: > On Tue, Jun 06, 2023 at 11:00:14PM -0400, Nicholas D Steeves wrote: >> +org-mode (9.4.0+dfsg-1+deb11u1) bullseye-security; urgency=medium >> + >> + * Fix Org Mode command injection vulnerability CVE-2023-28617 by backporting >> + 0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch like src:emacs >> + did (Closes: #1033341). Thanks to Rob Browning's work in that package, >> + fixing org-mode was trivially easy! >> + >> + -- Nicholas D Steeves <sten@debian.org> Sun, 04 Jun 2023 13:26:52 -0400 > > Small remark, for the bullseye pu update please target at 'bullseye' > not 'bullseye-security'. > Done. That was actually my first instinct, but I thought the existence of a CVE would destine the upload to the -security queue! I was wrong, but this is a teaching/learning moment. Is it as simple as: Use the -security queue when a DSA is needed, otherwise use the normal distribution code name and the foo-updates queue? No need to explain if it's more complicated and if you're busy. (I couldn't find documentation of this in the Dev Ref) Updated debdiff attached. Regards, Nicholas
Attachment:
9.4.0+dfsg-1__to__9.4.0+dfsg-1.debdiff
Description: debdiff
Attachment:
signature.asc
Description: PGP signature