Hi Thomas, On Fri, Jan 27, 2017 at 04:57:09PM +0100, Thomas Goirand wrote: > On 01/26/2017 10:11 PM, Salvatore Bonaccorso wrote: > > Source: python-oslo.middleware > > Version: 3.19.0-2 > > Severity: grave > > Tags: security patch upstream > > Forwarded: https://launchpad.net/bugs/1628031 > > > > Hi, > > > > the following vulnerability was published for python-oslo.middleware. > > > > CVE-2017-2592[0]: > > CatchErrors leaks sensitive values in oslo.middleware > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2017-2592 > > [1] https://launchpad.net/bugs/1628031 > > > > Regards, > > Salvatore > > Hi Salvatore, > > Thanks for the notification. > > IMO this isn't a grave issue. To be able to read the logs, someone would > need to have access to the server logs, meaning having privileged access > to the server. > > I have never the less uploaded the upstream patch to Sid, and asked for > an unblock to the release team (with 5 days delay).
Thanks for the quick followup. Apparently the upload was not accepted, cf. no trace of it in https://tracker.debian.org/pkg/python-oslo.middleware . Can you please recheck, and reupload? Already appreciated, since we should have the fix in stretch. Regards, Salvatore
