在 2023-09-24星期日的 19:09 +0100,Adam D. Barratt写道: > On Sat, 2023-09-23 at 22:10 +0100, Adam D. Barratt wrote: > > Control: tags -1 confirmed > > > > On Thu, 2023-09-21 at 13:37 -0400, Boyuan Yang wrote: > > > As reported in https://bugs.debian.org/1051408 ;, current flameshot > > > in Debian 11 (Bullseye) will silently upload the current captured > > > screenshot to imgur without confirmation whenever the corresponding > > > hotkey is pressed. This imposes a security risk of leaking > > > sensitive > > > information. > > > > > > In order to mitigate this issue, I propose to upload flameshot > > > 0.9.0+ds1-2+deb11u1, which strips the embedded imgur token > > > hardcoded > > > in the source code. Users who wish to utilize the img uploading > > > feature can fill in their own imgur token in flameshot config > > > window to re-enable the feature. > > > > > > > Please go ahead. > > > > I should have spotted this before, but the news file in the source > package should simply be named "debian/NEWS"; dh_installchangelogs will > then install it as NEWS.Debian in the binary package. > > It's up to you whether you want to upload a +deb11u2 that simply fixes > that, or would prefer that we reject the existing upload and you can > upload a fixed +deb11u1. Thanks, I just uploaded a +deb11u2 to reflect this change. Best, Boyuan Yang
Attachment:
signature.asc
Description: This is a digitally signed message part