Hi Scott, On Fri, Mar 20, 2020 at 01:57:25PM -0400, Scott Kitterman wrote: > On Thursday, March 19, 2020 6:24:22 PM EDT Salvatore Bonaccorso wrote: > > Hi Scott, > > > > On Thu, Mar 19, 2020 at 12:20:25AM -0400, Scott Kitterman wrote: > > > Upstream's 3.1.2 release had just the security fix in it. I propose > > > updating buster with it (I put 3.1.3 in unstable, but it had non-security > > > fixes in it. > > > > > > I'm not 100% sure about if we need to modify the import path for the new > > > test since we don't use the vendored html5lib, but other than that (which > > > I will investigate), this should be good. > > > > Given we did release a DSA for the similar issue CVE-2020-6802 for > > buster we can do the same as well now for this issue (it got assigned > > CVE-2020-6816). > > > > Your plan to rebase to 3.1.2 looks good to me. > > > > Once you have the update ready please just come back to us, if > > possible add the CVE id reference as it was assigned now, but more > > importantly please adjust the debian/changelog (the target > > distribution needs to be buster-security). > > > > many thanks for your work! > > I've uploaded it to security-master (didn't get the accept yet, so you should > see it shortly. > > I added the CVE reference and changed the target distribution. > > In addition to test building, I ran the autopkgtests locally and it all > passed, so it should be good to go.
Thank you! DSA 4643-1 with your update released! Regards, Salvatore
