Bug#985220: velocity: CVE-2020-13936
Salvatore Bonaccorso
carnil at debian.org
Wed May 5 21:35:24 BST 2021
Hi Andreas,
Thanks for raising the problem.
On Wed, May 05, 2021 at 10:04:46PM +0200, Andreas Beckmann wrote:
> Followup-For: Bug #985220
>
> Hi,
>
> CVE-2020-13936 is fixed in stretch-security but not buster, making
> upgrades difficult since stetch-security has a newer version than buster.
> Please upload the fix to buster, too.
>
> velocity | 1.7-4 | jessie | source, all
> velocity | 1.7-5 | stretch | source, all
> velocity | 1.7-5 | buster | source, all
> velocity | 1.7-5+deb9u1 | stretch-security | source, all
> velocity | 1.7-6 | bullseye | source, all
> velocity | 1.7-6 | sid | source, all
This issue itself won't warrant a DSA for buster, but ideally a fix
goes in via the next buster point release or a later one if possible.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list