Hi, On 08/06/2018 19:55, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Wed, 2018-06-06 at 19:54 +0200, [email protected] wrote: >> Please consider this update to freedink-dfarc for stretch. >> It fixes a security issue that can overwrite arbitrary user files. >> Sending to stable following security team's directions from 2018-06- >> 01. > +freedink-dfarc (3.12-1+deb9u1) stable; urgency=high > > Please use "stretch" as the distribution. > > + * Fix directory traversal in D-Mod extractor (CVE-2018-0496) > + * Upload to 'stable' as security team rejected a DSA to > + 'stretch-security' (no justification) > > The changelog is not the place for such commentary - please remove it. > > With the above changes made, and assuming that the resulting package > has been tested on stretch, please feel free to upload.
As per Social Contract #3 I do have to explain to my users why they get the security fix after the disclosure. This is not a commentary, this is purely factual. Please advise. - Sylvain
