On 2019-08-08 19:09, Moritz Mühlenhoff wrote:
On Thu, Aug 08, 2019 at 09:53:16AM +0100, Adam D. Barratt wrote:
Control: tags -1 + moreinfo
On 2019-08-08 08:47, Arnaud Rebillout wrote:
[...]
> The debdiff attached brings in an upstream patch to fix
> CVE-2019-1020014, hence closes #933801.
[...]
> * Fixes for security issues should be co-ordinated with the
> Security Team, unless they have explicitly stated that they
> will not issue an DSA for the bug (e.g. via a "no-dsa" marker
> in the Security Tracker) [SECURITY-TRACKER]
[...]
I've CCed them now, let's see what they say.
It's harmless, stable-proposed-updates sounds good. I'll mark it as
no-dsa
in the security tracker.
Thanks for the confirmation.
The module apparently has three reverse build-dependencies:
amazon-ecr-credential-helper:
golang-github-docker-docker-credential-helpers-dev
docker-pycreds: golang-docker-credential-helpers
docker.io: golang-github-docker-docker-credential-helpers-dev (>=
0.6.1~)
Would this update imply any of those needing to be rebuilt? If so, is
that the end of the tree, or do we end up down a rabbit hole of Go
libraries?
Regards,
Adam