Bug#1103999: marked as done (unblock: yelp-xsl/42.1-3)

Sat, 26 Apr 2025 03:09:46 -0700 

Your message dated Sat, 26 Apr 2025 11:49:24 +0200
with message-id <bf45258a-d274-43d3-9add-e6a86fa8a...@debian.org>
and subject line Re: Bug#1103999: unblock: yelp-xsl/42.1-3
has caused the Debian Bug report #1103999,
regarding unblock: yelp-xsl/42.1-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1103999: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103999
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Control: affects -1 + src:yelp-xsl
X-Debbugs-Cc: yelp-...@packages.debian.org
User: release.debian....@packages.debian.org
Usertags: unblock

Please allow yelp-xsl 42.1-3 to migrate faster than 10 days.

[ Reason ]
This is the yelp-xsl part of the security fix for
https://security-tracker.debian.org/tracker/CVE-2025-3839

[ Impact ]
The security vulnerability is both more severe and more widely
discussed than other recent GNOME CVEs.

https://blogs.gnome.org/mcatanzaro/2025/04/15/dangerous-arbitrary-file-read-vulnerability-in-yelp-cve-2025-3155/

[ Tests ]
I simply copied the security fix that Ubuntu released today

https://ubuntu.com/security/notices/USN-7447-1

I also did a manual test to ensure that opening GNOME help pages still
works as expected.

[ Risks ]
Key package but we're using the same security fix Ubuntu pushed.

[ Checklist ]
  [✅] all changes are documented in the d/changelog
  [✅] I reviewed all changes and I approve them
  [N/A] attach debdiff against the package in testing

Thank you,
Jeremy Bícha

--- End Message ---
--- Begin Message --- 
Hi,

On 23-04-2025 21:08, Jeremy Bícha wrote:

The security vulnerability is both more severe and more widely
discussed than other recent GNOME CVEs.
But not fixed yet in d-security? Even marked as "minor issue" for bullseye, is that an incorrect assessment by the LTS team? 

Anyways:
urgent yelp-xsl/42.1-4

Paul

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature


--- End Message ---

Reply via email to