[PKG-Openstack-devel] Bug#828967: horizon / CVE-2016-4428 #828967

Moritz Mühlenhoff jmm at inutil.org
Tue Jul 5 20:42:45 UTC 2016


On Tue, Jul 05, 2016 at 09:58:58PM +0200, Thomas Goirand wrote:
> On 07/05/2016 07:37 PM, Moritz Mühlenhoff wrote:
> > On Wed, Jun 29, 2016 at 03:50:47PM +0200, Thomas Goirand wrote:
> >> On 06/29/2016 11:24 AM, Moritz Muehlenhoff wrote:
> >>> Hi Thomas,
> >>> https://bugs.launchpad.net/bugs/1567673 has been assigned CVE-2016-4428 and I think we should fix
> >>> it in jessie-security. Can you please prepare an update? unstable also needs the patch.
> >>>
> >>> Cheers,
> >>>         Moritz
> >>>
> >>
> >> Hi Moritz,
> >>
> >> I have uploaded fixes for both Sid and Experimental, and the fix for
> >> Stable is committed to Git in here:
> >>
> >> http://anonscm.debian.org/cgit/openstack/horizon.git/commit/?h=debian/icehouse&id=d74e751ce93f03240f3ad4206e93d6e7e05da55f
> >>
> >> Since you may prefer a diff to read from your mail client, I have
> >> attached it to this message.
> > 
> > Why do you upload something different than the debdiff you sent?
> > 
> > jessie has 2014.1.3-7, and what you uploaded includes an additional
> > fix which was never on security.debian.org:
> > 
> >> horizon (2014.1.3-7+deb8u1) jessie-security; urgency=high
> >>
> >>  * Fix CVE-2015-3219 with upstream patch (Closes: 788306).
> >>
> >> -- Thomas Goirand <zigo at debian.org>  Wed, 10 Jun 2015 16:18:34 +0200
> > 
> > Cheers,
> >         Moritz
> 
> Moritz,
> 
> I would still like both fixes to be included in the update. I'm sorry if
> the first one didn't make it yet through proposed-updates, it's probably
> my fault if it didn't.
> 
> If you wish me to squash version 2014.1.3-7+deb8u1 and 2014.1.3-7+deb8u2
> into a single version, please let me know, but I don't think it's very
> useful to do so.

No, let's ship both fixes, then. No need for a new upload. I'll review
the changes tomorrow and deal with the DSA.

Cheers,
        Moritz



More information about the Openstack-devel mailing list