On Thursday, March 19, 2020 6:24:22 PM EDT Salvatore Bonaccorso wrote: > Hi Scott, > > On Thu, Mar 19, 2020 at 12:20:25AM -0400, Scott Kitterman wrote: > > Upstream's 3.1.2 release had just the security fix in it. I propose > > updating buster with it (I put 3.1.3 in unstable, but it had non-security > > fixes in it. > > > > I'm not 100% sure about if we need to modify the import path for the new > > test since we don't use the vendored html5lib, but other than that (which > > I will investigate), this should be good. > > Given we did release a DSA for the similar issue CVE-2020-6802 for > buster we can do the same as well now for this issue (it got assigned > CVE-2020-6816). > > Your plan to rebase to 3.1.2 looks good to me. > > Once you have the update ready please just come back to us, if > possible add the CVE id reference as it was assigned now, but more > importantly please adjust the debian/changelog (the target > distribution needs to be buster-security). > > many thanks for your work!
I've uploaded it to security-master (didn't get the accept yet, so you should see it shortly. I added the CVE reference and changed the target distribution. In addition to test building, I ran the autopkgtests locally and it all passed, so it should be good to go. Scott K
signature.asc
Description: This is a digitally signed message part.