[Python-modules-team] Bug#733108: python3-requests: redirect can expose netrc password
Daniele Tricoli
eriol at mornie.org
Tue Sep 16 23:06:12 UTC 2014
Hello Jakub,
On Tuesday 16 September 2014 23:50:56 Jakub Wilk wrote:
> Version: 2.3.0-1
>
> It looks like the bug was fixed upstream in 2.3.0:
Thanks for taking care of closing this. I received the notification from
github, but I will work on requests (I plan to update to 2.4.1) on the
weekend.
To acknowledge the fix of this security bug, I should put something in the
changelog anyway, right?
Something like this:
* Acknowledge fix for CVE-2014-1829 and CVE-2014-1830 in 2.3.0-1
(Closes: #733108)
Developer reference[¹] says: "When closing security bugs include CVE numbers
as well as the Closes: #nnnnn. This is useful for the security team to track
vulnerabilities. If an upload is made to fix the bug before the advisory ID is
known, it is encouraged to modify the historical changelog entry with the next
upload."
So using "Closes: #733108" although the bug is arleady closed seems ok to me,
is that right?
Many thanks!
Kind regards,
[¹] https://www.debian.org/doc/manuals/developers-reference/pkgs.html#newpackage
--
Daniele Tricoli 'Eriol'
http://mornie.org
More information about the Python-modules-team
mailing list