Hi, On Thu, Dec 21, 2023 at 03:16:22PM -0500, M. Zhou wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian....@packages.debian.org > Usertags: pu > X-Debbugs-Cc: f...@packages.debian.org > Control: affects -1 + src:fish > > > [ Reason ] > > Cherry-pick upstream fix to CVE-2023-49284 > > [ Impact ] > > This is a low severity security issue that affects basically > all historical releases of fish. The upstream created new > releases (i.e. 3.6.2) solely for fixing this bug. > https://github.com/fish-shell/fish-shell/commits/Integration_3.6.2/ > So it would be good if we can integrate the fix into stable. > > > [ Tests ] > > The fix is already included in fish/3.6.4-1 (sid). > The rebased patch passed my local sbuild test. > I installed the package in a chroot and tested it. > > [ Risks ] > > low. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > > Only one change. Please refer to the patch header for explanation. > > [ Other info ] > > diff -Nru fish-3.6.0/debian/changelog fish-3.6.0/debian/changelog > --- fish-3.6.0/debian/changelog 2023-05-01 13:01:01.000000000 -0400 > +++ fish-3.6.0/debian/changelog 2023-12-21 14:47:56.000000000 -0500 > @@ -1,3 +1,9 @@ > +fish (3.6.0-3.1+deb12u1) bookworm; urgency=medium > + > + * Cherry-pick upstream fix for CVE-2023-49284.
Can you as well add a bug closer for #1057455? Regards, Salvatore
