On Thursday, February 27, 2020 2:44:48 AM EST Salvatore Bonaccorso wrote: > Hi Scott, > > On Sat, Feb 22, 2020 at 07:20:34PM -0500, Scott Kitterman wrote: > > Debdiff for proposed stable security update attached. > > > > The first hunk of the patch has the actual fix. I would prefer to use the > > new ustream release rather than just patch the one line because of the > > test improvements, of the explanation of the issue in the upstream > > changeslog, and using the new upstream makes it clearer to external > > reviewers we've done the fix. There are no unrelated changes. > > Okay let's fix this via a DSA. > I checked the reverse dependencies and none seem to be particularly > impacted, but given the primary use of the module is to sanitize input > and is generic enough we should update. > > Can you set urgency=high for consistency, and add the now assigned CVE > refeence (I did contact Mozilla CNA for it, and they assigned one, it > is CVE-2020-6802). > > Many thanks for your work and apologies for the long delay.
Thanks. No worries about the delay. I imagine this isn't the most severe issue you are dealing with this week. I've dput the package to security-master, modified as above. Scott K
signature.asc
Description: This is a digitally signed message part.
