On Fri, May 28, 2021 at 02:14:34PM +0200, Jonas Meurer wrote: > Hey Moritz, > > Moritz Muehlenhoff wrote: > > On Fri, May 28, 2021 at 11:06:31AM +0200, Jonas Meurer wrote: > > > Moritz Muehlenhoff wrote: > > > > This was assigned CVE-2021-33038: > > > > https://gitlab.com/mailman/hyperkitty/-/issues/380 > > > > > > > > Patch is here: > > > > https://gitlab.com/mailman/hyperkitty/-/commit/9025324597d60b2dff740e49b70b15589d6804fa > > > > > > Thanks a lot for reporting the security bug! > > > > > > I'll upload hyperkitty 1.3.4-4 in a few minutes with the patch applied. > > > Will > > > open an unblock request for Bullseye as soon as the package hit the > > > archive. > > > > > > Do you want to take care of preparing an upload to buster-security or > > > shall > > > I prepare that one as well? > > > > Please do! Version number should be 1.2.2-1+deb10u1 > > Done now. The sources for 1.2.2-1+deb10u1 can be found hier: > > https://salsa.debian.org/mailman-team/hyperkitty/-/tree/debian/buster-security > > Will you handle the upload or shall I upload to buster-security as well?
Thanks! Update looks fine, please upload to security-security. I'll release the DSA later the evening or tomorrow. Cheers, Moritz