On 12/17/2013 02:41 PM, Yves-Alexis Perez wrote: > On Tue, Dec 17, 2013 at 10:41:54AM +0800, Thomas Goirand wrote: >> Hi, > >> I've got all of the OpenStack 2013.2.1 ready, and they fix a bunch of >> CVE, but I can't upload because of python-iso8601 is still 0.1.4, and I >> need 0.1.8. I have opened #732284. Do you think that in such case, it is >> acceptable to NMU the update in the delayed/2 queue, if I get no reply >> from Benjamin Mako Hill, the python-iso8601 maintainer? > > Are those embargoed CVEs? It seems that OpenStack 2013.2.1 is publicly > released, so maybe it'd help to add that to the bug report to state the > urgency publicly? (I guess you already did that on your private mail to > Benjamin?)
All of the OpenStack 2013.2.1 include the fixes for the CVEs, and aren't embargoed anymore. Here's the list that it would fix if I could upload them: Heat: CVE-2013-6428, CVE-2013-6426 Keystone: CVE-2013-6391 Neutron: CVE-2013-6419 Nova: CVE-2013-7048, CVE-2013-6419 > Also debdiff doesn't include diff from outside the debian/ folder so > it's a bit harder to see the impact of new upstream release. There's no security problem at all in python-iso8601 itself. It's just that I need version 0.1.8 for the new point release of OpenStack, which fixes the above CVE, as version 0.1.4 is incompatible with version 0.1.8 (there's some API changes, unfortunately). This is the first time I face such a problem, with a dependency needing a refresh, to be able to address a security problem. So, in such case, it it acceptable to NMU python-iso8601 in the delayed/2 queue, considering the urgency? Cheers, Thomas Goirand (zigo) P.S: Since these CVE aren't embargoed, and fixes are already publicly released, I'm adding 732...@bugs.debian.org (and therefore, Benjamin Mako Hill), in the loop. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
