On Thu, 2023-04-06 at 19:46 -0400, Reinhard Tartler wrote:
> This code change picks up code changes in golang-github-containers-
> psgo
> and golang-github-containers-storage to fix CVE-2022-1227. This is
> reported
> as 1020907. This addresses a priviledge escalation issue when using
> 'podman top'. Upstream has more information in this issue in
> https://bugzilla.redhat.com/show_bug.cgi?id=2070368
> 

I see this has already been uploaded; unfortunately:

-    ,golang-github-containers-psgo-dev
-    ,golang-github-containers-storage-dev (>= 1.24.6)
+    ,golang-github-containers-psgo-dev (>= 1.5.2-1+deb11u1)
+    ,golang-github-containers-storage-dev (>= 1.24.6+dfsg1-1+deb11u1)

The updated golang-github-containers-storage-dev version there isn't
actually sufficient to ensure that the fixed version is picked up - you
want 1.24.*8*+dfsg1-1+deb11u1.

At this point, either I can reject the current upload, and you can then
re-upload a fixed +deb11u1 or (possibly easier all around) you can
upload +deb11u2 as an incremental change on top of +deb11u1 which
simply fixes the dependency version.

Regards,

Adam

Reply via email to