On 21 July 2017 at 14:35, Moritz Muehlenhoff <j...@debian.org> wrote: > Please see > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11468
Thanks for the report! I've started looking into the fix, and will include my notes here: https://github.com/docker/distribution/releases/tag/v2.6.2 is the release which fixes this (and it links to https://github.com/docker/distribution/commit/29fa466debaabb64f8559116bbffd20a289d523c as the specific commit which does so). A plain "dch -v 2.6.2~ds1-1" is _not_ sufficient to get a working build (needs some dependency updates, I think, since we're currently on v2.6.0-rc.1 + a few commits and upstream has obviously made some changes since then). Given that the package is only in unstable, I'll likely commit my WIP bump to 2.6.2 to Git once I'm done looking around at how much it's going to take to update (whether it's building successfully or not). ♥, - Tianon 4096R / B42F 6819 007F 00F8 8E36 4FD4 036A 9C25 BF35 7DD4
