On 4/25/20 9:45 PM, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > Apologies for the delay. > > On Sat, 2019-12-21 at 22:13 +0100, Thomas Goirand wrote: >> I'd like to update python-oslo.utils in Buster to address CVE-2019- >> 3866. >> It wasn't possible to apply directly the patch available here: >> >> https://review.opendev.org/692972 >> >> and I found too dangerous to skip the commits right before it, which >> are related to this patch. So I just merged upstream branch >> stable/rocky into the Debian package. However, looking closer to all >> patches, either they are all related to the official patch, or are >> cosmetic from the Debian perspective (ie: .gitreview, or upstream CI >> related). >> >> Please find, attached to this bug, the debdiff for the udpate. >> > > +python-oslo.utils (3.36.4+2019.11.15.git.c49a426b66-1+deb10u1) buster; > urgency=medium > > I'd prefer -0+deb10u1 there, as there was (I presume) never a -1 upload > to Debian. > > With that change, please go ahead. > > Regards, > > Adam
Hi, Checking upstream, since my proposal to update this package, version 3.36.5 has been released, incorporating the change. The only difference between 3.36.4+2019.11.15.git.c49a426b66 and 3.36.5 is added release notes, which aren't even packaged in the binary. So I took the liberty to upgrade to that instead, which is IMO cleaner, and doesn't change anything regarding Debian. The resulting package is uploaded to buster with 3.36.5-0+deb10u1 as version number. Cheers, Thomas Goirand (zigo)
