Your message dated Thu, 19 Jul 2018 16:56:00 +0000 with message-id <9fd8b5b0-7472-e32f-ec58-7c9e60ad1...@debian.org> and subject line Re: koji_1.16.0-2_source.changes ACCEPTED into unstable has caused the Debian Bug report #877921, regarding koji: CVE-2017-1002153: Possible to bypass allowed_scm blacklist to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 877921: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877921 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: koji Version: 1.10.0-1 Severity: important Tags: security upstream patch Hi, the following vulnerability was published for koji. CVE-2017-1002153[0]: | Koji 1.13.0 does not properly validate SCM paths, allowing an attacker | to work around blacklisted paths for build submission. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-1002153 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1002153 [1] https://pagure.io/koji/issue/563 [2] https://pagure.io/koji/c/ba7b5a3cbed11ade11c3af5e834c9a6de4f6d7c3 Regards, Salvatore
--- End Message ---
--- Begin Message ---Version: 1.16.0-1 Sergio Durigan Junior: > On Sunday, July 08 2018, Debian FTP Masters wrote: >> [..] >> Changes: >> koji (1.16.0-2) unstable; urgency=medium >> . >> * Install a conf file for fedora's current main koji hub. > > Hello Ximin, > > I was preparing here to start working on packaging python{,3}-koji when > I noticed that koji is already packaged. Sweet! However, I felt like > pointing a few things I noticed on this upload. > > This is a very concise (and incomplete) changelog entry... It doesn't > mention the new upstream version and doesn't close a few bugs that could > have been closed. > Hi, all of this is mentioned in the changelog entry for 1.16.0-1 but I fucked up that upload so nobody saw the mails and the bugs didn't get closed. Thanks for pointing that out, I'm closing the bugs with this email now. > Secondly, I would like to propose renaming the current "koji-common" > package to "python{,3}-koji" (IOW, we'd also build it for Python 3), > which would make it be have the same name as in Fedora. WDYT? > That sounds good to me, do whatever you like with the package. :) I actually don't want to maintain it long-term, I just needed to run koji myself for other reasons. IIRC migrating to python 3 involves some extra changes to Build-Depends etc which is why I didn't do it myself yet. Possibly some stuff is not yet in Debian and will also need to be packaged, just a heads up. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git
--- End Message ---
_______________________________________________ Reproducible-builds mailing list Reproducible-builds@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/reproducible-builds
