[Pkg-utopia-maintainers] Bug#865413: flatpak: Flatpak security issue #845 involving setuid/world-writable files

Moritz Mühlenhoff jmm at inutil.org
Wed Jun 21 15:08:03 UTC 2017


On Wed, Jun 21, 2017 at 12:35:43PM +0100, Simon McVittie wrote:
> On Wed, 21 Jun 2017 at 09:46:21 +0100, Simon McVittie wrote:
> > Security team: do you want a backport/DSA for stretch-security, or do
> > you consider the mitigations to be sufficient to fix this through
> > a stable update instead? I am hoping to get 0.8.7 into stretch r1 as a
> > stable update, but 0.8.6 contains unrelated bug fixes that I realise
> > you won't necessarily want in stretch-security (proposed-update tracked
> > at <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864028>).
> 
> Here is a proposed minimal backport for stretch in case you want one.
> I have source and binaries for this ready for upload.

Please go ahead.

> Does the security
> archive still want source packages built with debuild -sa, and do you
> accept source-only uploads for stretch-security?

source only uploads should work fine, but you still need to include the
orig tarball if the package is new in the stretch-security suite (and
at this point almost everything is)

Cheers,
        Moritz



More information about the Pkg-utopia-maintainers mailing list