On Fri, 2012-08-10 at 14:25 +0800, Thomas Goirand wrote: > Please unblock the nova package. This fixes CVE-2012-3447, which is a > file injection vulnerability in the host filesystem, using a specially > crafted guest image. > > The relevant diff is available here: > http://anonscm.debian.org/gitweb/?p=openstack/nova.git;a=commitdiff;h=55e78f9cbaa1c4657a97c6b20797a94968030e75
Please don't do that. It needs a context switch, doesn't work when reading mail offline and means that the list archive doesn't stand alone as a historical, well, archive of what was okayed. There's a reason that the freeze policy explicitly asks for debdiffs. > The patch comes directly from upstream, as per the patch header (I just > applied it manually, then did dpkg-source --commit). > > Note that this also includes a (needed) tweak in the configuration files > as per this commit: > http://anonscm.debian.org/gitweb/?p=openstack/nova.git;a=commitdiff;h=4cd725c5d164484a3ddb6bf95f37fb715cb51169 Two questions: 1) Why is there no mention of the above changes in the changelog? 2) Why does "Add nova-compute.conf files to nova-compute init if exist" require -DAEMON_ARGS="--flagfile=/etc/nova/nova.conf" +DAEMON_ARGS="--config-file=/etc/nova/nova.conf" and a bunch of +[DEFAULT] ? > Also, Ubuntu folks already fixed the issue in 12.04. How is that at all relevant to the Debian freeze? Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
