On Thu, Dec 10, 2020 at 08:53:58AM -0500, Roberto C. Sánchez wrote: > On Tue, Dec 08, 2020 at 10:04:13AM -0500, Roberto C. Sánchez wrote: > > Hi Moritz & Chris, > > > > On Tue, Dec 08, 2020 at 02:37:14PM +0000, Chris Lamb wrote: > > > Hi Moritz, > > > > > > > CVE-2019-20218 isn't fixed in Stretch/LTS. Running the reproducer: > > > > > > > Thanks for reporting this. It seems I overlooked something in my > > update. I should have taken greater care. > > > > > > > > Roberto, can you follow-up on this? > > > > > I have claimed the package in dla-needed.txt. I will get this > > straightened out (including properly confirming that the vulnerability > > is fixed) in the coming days. > > > I have backported the additional commit, tested the fix for > completeness, prepared the updated package and uploaded it. However, > since archive processing is currently suspended pending the resolution > of the recently reported python-apt bug, it will probably wait in the > upload queue until archive processing resumes. Once the ACCEPT message > comes through I will prepare and publish the DLA.
I did not see an announcement that archive processing had resumed, but a short while ago I received the ACCEPT message and the package built and was uploaded and installed on all architectures. I went ahead and published the DLA as well. Regards, -Roberto -- Roberto C. Sánchez
