[Python-modules-team] Bug#733108: python3-requests: redirect can expose netrc password
Jakub Wilk
jwilk at debian.org
Fri Sep 19 20:17:49 UTC 2014
Hi Daniele!
[Bug submitters don't automatically receive BTS message copies. You need
to CC them explicitly. I saw your message only by chance...]
* Daniele Tricoli <eriol at mornie.org>, 2014-09-17, 01:06:
>To acknowledge the fix of this security bug, I should put something in
>the changelog anyway, right?
>Something like this:
> * Acknowledge fix for CVE-2014-1829 and CVE-2014-1830 in 2.3.0-1
> (Closes: #733108)
>
>Developer reference[¹] says: "When closing security bugs include CVE
>numbers as well as the Closes: #nnnnn. This is useful for the security
>team to track vulnerabilities. If an upload is made to fix the bug
>before the advisory ID is known, it is encouraged to modify the
>historical changelog entry with the next upload."
As the DevRef suggests, you should retroactively add the CVE reference
to the changelog entry for 2.3.0-1, so don't mention "in 2.3.0-1".
>So using "Closes: #733108" although the bug is arleady closed seems ok
>to me, is that right?
Yup, that should be fine.
--
Jakub Wilk
More information about the Python-modules-team
mailing list