Hi Thomas, On Fri, Dec 20, 2019 at 01:46:22PM +0100, Thomas Goirand wrote: > Hi, > > As I understand it, this bug concerns TripleO, which is a Red Hat > product. Please clear this CVE from the Debian security tracker.
whilst it was reported initially for a TripleO issue, the changes applied are affecting the python-mistral-lib/mistral and needs changes in python-oslo.utils as pre-requisite. See: https://bugs.launchpad.net/tripleo/+bug/1850843 and the fix in the python-oslo.utils part is https://opendev.org/openstack/oslo.utils/commit/b41268417cecb12d1d5955ee3107067edf050221 while the patches for mistral/python-mistral-lib are as follows: Patch for Pike and newer: https://launchpadlibrarian.net/449473654/0001-Ensure-we-mask-sensitive-data-from-Mistral-Action-lo.patch Patch for Pike and newer: https://launchpadlibrarian.net/449472809/0001-Ensure-we-mask-sensitive-data-from-Mistral-Action-lo.patch My point here was, it might have impact outside TripleO, there are changes done defintively in the scope of the respective above mentioned source packages in Debian. One might on the other side defintively argue this all might not warrant any DSA handling (which I might tend to agree). What am I'm missing in the context? Regards, Salvatore
