Control: tags -1 + confirmed Control: severity -1 normal On Thu, 2018-07-05 at 13:59 +0100, Sean Whitton wrote: > Package: release.debian.org > Severity: important
p-u bugs (in fact, basically all release.d.o bugs) are "normal" at most. There's no impact on the usability of the pseudo-package. > git-annex in stretch is vulnerable to CVE-2018-10857 and > CVE-2018-10859. This update is a minimal fix for those CVEs prepared > by its upstream, Joey Hess: Please go ahead. > (ii) there is already a +deb9u1 version of git-annex in > stretch-security, but not stretch, responding to a different > CVE. > > I have based my work on the +deb9u1 upload, and I assume that > uploading my +deb9u2 to stretch-proposed-updates will cause it > to > take precedence over the import of the +deb9u1 upload. That's correct. The reason that the -security upload isn't already in proposed-updates is that it used a different .orig tarball from that uploaded to the main archive, causing the sync to fail. Regards, Adam
