[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1106819: bookworm-pu: package python-tornado/6.2.0-3+deb12u2



On Tue, Jun 03, 2025 at 01:33:44PM +0200, Daniel Leidert wrote:
> On Tue, 2025-06-03 at 08:42 +0200, Salvatore Bonaccorso wrote:
> > On Fri, May 30, 2025 at 05:38:30AM +0200, Daniel Leidert wrote:
> 
> [Bookworm PU for CVE-2025-47287.patch]
> > Technically we had the package already in mind for a DSA, so this
> > could as well go via a DSA (cc'ing my teammates from Debian security
> > team). One comment below:
> > 
> > > diff -Nru python-tornado-6.2.0/debian/patches/CVE-2023-28370.patch
> > > python-tornado-6.2.0/debian/patches/CVE-2023-28370.patch
> > > --- python-tornado-6.2.0/debian/patches/CVE-2023-
> > > 28370.patch	1970-01-01 01:00:00.000000000 +0100
> > > +++ python-tornado-6.2.0/debian/patches/CVE-2023-
> > > 28370.patch	2025-05-30 05:19:15.000000000 +0200
> > 
> > The patch seems wrongly named, should be CVE-2025-47287.patch instead
> > and samewise then in debian/patches/series to avoid confusion.
> 
> Thanks for catching that. Attached the debdiff after fixing the name.

We should rather fix this via a DSA. The debdiff looks fine, but please
change the target suite to bookworm-security and then build with -sa
for the upload to security-master (python-tornado is new in bookworm-security
and security.d.o and ftp.d.o don't share tarballs).

Cheers,
        Moritz


Reply to: