Hi Thomas [Disclaimer: not part of the stable release managers, so this reply is not authoritative]
Thanks for handling CVE-2019-3866 for unstable and buster. On Sat, Dec 21, 2019 at 11:12:17PM +0100, Thomas Goirand wrote: > Package: release.debian.org > Severity: normal > Tags: buster > User: release.debian....@packages.debian.org > Usertags: pu > > Dear Stable Release team, > > I'd like to upgrade python-mistral-lib to address CVE-2019-3866, > which is described in https://bugs.debian.org/946060. Please note > that this patch is only useful if you also approve the upload of > python-oslo.utils which I requested in #947142. > > Debdiff containing the patch is attached. Note that there's, as > much as I understand, no need to upgrade Mistral to address this > CVE (probably it would be needed in Stretch though...), as I believe > the issue is fully addressed by the update of python-mistral-lib > (at least, that's my understanding when reading the upstream bug > entry at https://bugs.launchpad.net/tripleo/+bug/1850843). Question (which apply as well for the unstable upload which was just done): the python-mistral-lib patch depends on the fixed version of python-oslo.utils. Wouldn't that need a versioned dependency python-oslo.utils? Regards, Salvatore