Control: tags -1 confirmed moreinfo Simon McVittie: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > > I would like to follow the 1.2.x stable-branch of flatpak in buster for > as long as it's maintained upstream, similar to what I did with 0.8.x > in stretch. Are the release team happy with this in principle? > > In the short term, this means uploading flatpak 1.2.4 to unstable. It > fixes CVE-2019-10063 (incomplete defence against command injection with > TIOCSTI) and some non-security bugs. I attach a proposed diff: may I > upload this if my tests are successful? > > If 1.2.4 is not acceptable, please unblock 1.2.3-2 instead, to fix > CVE-2019-10063 but not the non-security bugs (I already uploaded that > version). I've attached the debdiff for that too. > > See also #925569, the corresponding stable-update. > > Thanks, > smcv >
Hi, Please go with 1.2.4 and remove the moreinfo tag when it is ready to be unblocked. Thanks, ~Niels
