Hi, On Sun, Apr 12, 2020 at 10:34:27PM +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sat, 2020-02-08 at 10:51 +0100, Vincent Bernat wrote: > > ❦ 8 février 2020 08:43 +01, Salvatore Bonaccorso <car...@debian.org > > >: > > > > > This needs to be rebased to the 1.8.19-1+deb10u1 which was released > > > as > > > DSA 4577-1 AFAICT. > > > > Oh, sorry. Here is the updated patch. > > Please go ahead.
Too late for buster 10.4 but actually this would need to be rebased to the 1.8.19-1+deb10u2 as there was another DSA for haproxy (but not including this CVE fix). So the version will be 1.8.19-1+deb10u3 by now. If before the next point release will be another haproxy update this fix for the CVE can be included as well, IMHO. Regards, Salvatore
