On Tue, Jun 25, 2024 at 04:37:31PM +0200, Lee Garrett wrote: > On 16.06.24 00:25, Jonathan Wiltshire wrote: > > Control: tag -1 confirmed > > > > On Wed, May 01, 2024 at 05:05:05PM +0200, Lee Garrett wrote: > > > [ Reason ] > > > This is a bugfix-only update from ansible-core 2.14.3 to 2.14.16. This > > > fixes > > > three CVEs: > > > - Address issue where ANSIBLE_NO_LOG was ignored (CVE-2024-0690) > > > - Address issues where internal templating can cause unsafe variables to > > > lose their unsafe designation (CVE-2023-5764) > > > - Prevent roles from using symlinks to overwrite files outside of the > > > installation directory (CVE-2023-5115) > > > > > > and various other bugfixes as seen here: > > > https://salsa.debian.org/python-team/packages/ansible-core/-/blob/debian/bookworm-proposed/changelogs/CHANGELOG-v2.14.rst > > > > 1051 files changed, 8802 insertions(+), 159082 deletions(-) > > > > Normally I'd been looking for targetted fixes for the security issues but > > upstream's descriptive changelog does look quite sensible. > > > > You might want to change your version number - if 2.14.16-1 was never in > > sid you could use that. A +/~ revision to a version which never existed > > feels odd, as do -0 Debian versions (-1 being the first Debian release of > > this upstream version, -0 is... the zeroth?). > > I double-checked if it was me or the tooling that set the version number to > 2.14.16-0+deb12u1, and it's even part of official policy: > > https://www.debian.org/doc/debian-policy/ch-controlfields.html#special-version-conventions > -> stable-updates -> bullet point 3 > > So I'll go ahead and upload as is unless you have any reservations.
The difference here is that there isn't and never will be a -1 going to sid. No issues either way though, go for it. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
