Control: tags -1 - moreinfo Hi Graham,
On Sat, Jul 17, 2021 at 01:58:57PM +0200, Graham Inggs wrote: > Control: tags -1 + moreinfo > > Hi Salvatore > > On Fri, 16 Jul 2021 at 21:24, Salvatore Bonaccorso <car...@debian.org> wrote: > > fail2ban is affected by CVE-2021-32749, see detailed advisory in > > https://github.com/fail2ban/fail2ban/security/advisories/GHSA-m985-3f3v-cwmm, > > which is a possible remote code execution vulnerability in the mailing > > action mail-whois. > > fail2ban (0.11.2-2) unstable; urgency=high > > * Fix a problem with mail > > -- Sylvestre Ledru <sylves...@debian.org> Mon, 12 Jul 2021 06:52:40 +0200 > > Would it be better to have the CVE mentioned in the changelog? Right, the description could have been more descriptive but is caused by the following: The issue was not yet public at the time of the upload, nor the CVE, but upstream was fine to Debian first issue an update and then publish the GHSA. This was the reason that the changelog entry gives not detail on what is wrong with mail. We could re-trospectively ask for -3 with a more descriptive changelog entry and include the CVE, but I would suggest to just unblock what we have. Regards, Salvatore