On 12/21/19 11:34 PM, Salvatore Bonaccorso wrote: > Hi Thomas > > [Disclaimer: not part of the stable release managers, so this reply is > not authoritative] > > Thanks for handling CVE-2019-3866 for unstable and buster. > > On Sat, Dec 21, 2019 at 11:12:17PM +0100, Thomas Goirand wrote: >> Package: release.debian.org >> Severity: normal >> Tags: buster >> User: release.debian....@packages.debian.org >> Usertags: pu >> >> Dear Stable Release team, >> >> I'd like to upgrade python-mistral-lib to address CVE-2019-3866, >> which is described in https://bugs.debian.org/946060. Please note >> that this patch is only useful if you also approve the upload of >> python-oslo.utils which I requested in #947142. >> >> Debdiff containing the patch is attached. Note that there's, as >> much as I understand, no need to upgrade Mistral to address this >> CVE (probably it would be needed in Stretch though...), as I believe >> the issue is fully addressed by the update of python-mistral-lib >> (at least, that's my understanding when reading the upstream bug >> entry at https://bugs.launchpad.net/tripleo/+bug/1850843). > > Question (which apply as well for the unstable upload which was just > done): the python-mistral-lib patch depends on the fixed version of > python-oslo.utils. Wouldn't that need a versioned dependency > python-oslo.utils? > > Regards, > Salvatore
Hi, There's currently no dependency at all on python3-oslo.utils, because it's not completely needed. It looks like it is needed only some usage of Mistral only (like the one TripleO is doing), when calling generate_unicode_uuid(), is_valid_uuid() or utc_now_sec() from mistral_lib.utils. So no, I don't think we should add an artificial hard runtime dependency on oslo.utils, as long as upstream isn't doing it in requirements.txt. Your thoughts? Cheers, Thomas Goirand (zigo)