Hi Bastian, [Please do send such requests always to team@s.d.o, dev-ref gives as well some further hints at https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#handling-security-related-bugs]
On Thu, Oct 08, 2020 at 04:25:55PM +0200, Bastian Germann wrote: > On Tue, 01 Sep 2020 10:51:48 +0200 Salvatore Bonaccorso > <car...@debian.org> wrote: > > The following vulnerability was published for python-flask-cors. > > > > CVE-2020-25032[0]: > > | An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) > > | before 3.0.9. It allows ../ directory traversal to access private > > | resources because resource matching does not ensure that pathnames are > > | in a canonical format. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2020-25032 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25032 > > [1] > > https://github.com/corydolphin/flask-cors/commit/67c4b2cc98ae87cf1fa7df4f97fd81b40c79b895 > > I have prepared a buster-security release at > > https://salsa.debian.org/python-team/packages/python-flask-cors/-/tags/debian%2F3.0.7-2 As for the update, please do send always as a debdiff from a built (and tested) package (this request is similarly to what stable release managers would expect for point release updates, it helps us as well to archive discussion and debdiffs to review). But I can give already a first feedback: debian/changelog uses 3.0.7-2 as version. Even though 3.0.7-2 might never have been seen in the archive, please do use 3.0.7-1+deb10u1 instead following the usual convention. While at it use urgency=high (for consistency in security updates). For the bug closer I think you will need to use "Closes: #969362)". Furthermore: what kind of testing did the update recieve, were you able to test the update in production environments, are there any problems spotted? I'm asking in particular as the modfied tests seem to pass ok as well without the patch (but I only quickly gave it a test from the git repository, might be something else strange here). > The new upstream release is waiting in the master branch to be published > in sid. Ok, although not required, if you have that already ok to be uploaded I would say to go ahead with the unstable upload and have the fixes exposed there already. Regards, Salvatore
