Hi Robie - Thanks for the oneiric-security branch! I've reviewed the diff and it looks mostly good. There are a few very minor touch-ups that will be needed to the changelog:
1) Make the patch attribution style in the changelog match the examples here: https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging 2) The last bullet says that the change is to debian/cobbler.postinst, but it is actually to debian/cobbler-web.postinst Those are very minor and something the security team can do if there are no other changes needed to be made. However, there is one technical concern that I have with fix for bug 858860. It doesn't seem to do anything for existing cobbler installations. In other words, if you already have a world-readable users.digest, it will stay that way after the package upgrade. Finally, have you had a chance to do testing in Oneiric? If so, can you provide some details on the testing that was performed? Please resubscribe ubuntu-security-sponsors and set the status to 'NEW' when the issues above have been fixed. ** Changed in: cobbler (Ubuntu Oneiric) Status: Triaged => Incomplete ** Tags added: patch-needswork -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/858878 Title: lack of csrf protection in cobbler-web To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/858878/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
