Hi Scott, On Thu, Mar 19, 2020 at 12:20:25AM -0400, Scott Kitterman wrote: > Upstream's 3.1.2 release had just the security fix in it. I propose updating > buster with it (I put 3.1.3 in unstable, but it had non-security fixes in it. > > I'm not 100% sure about if we need to modify the import path for the new test > since we don't use the vendored html5lib, but other than that (which I will > investigate), this should be good.
Given we did release a DSA for the similar issue CVE-2020-6802 for buster we can do the same as well now for this issue (it got assigned CVE-2020-6816). Your plan to rebase to 3.1.2 looks good to me. Once you have the update ready please just come back to us, if possible add the CVE id reference as it was assigned now, but more importantly please adjust the debian/changelog (the target distribution needs to be buster-security). many thanks for your work! Regards, Salvatore