Bug#900920: stretch-pu: package freedink-dfarc/3.12-1+deb9u1

[Sylvain <beuc@beuc.net>]

Hi,

On 08/06/2018 19:55, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Wed, 2018-06-06 at 19:54 +0200, beuc@debian.org wrote:
>> Please consider this update to freedink-dfarc for stretch.
>> It fixes a security issue that can overwrite arbitrary user files.
>> Sending to stable following security team's directions from 2018-06-
>> 01.
> +freedink-dfarc (3.12-1+deb9u1) stable; urgency=high
>
> Please use "stretch" as the distribution.
>
> +  * Fix directory traversal in D-Mod extractor (CVE-2018-0496)
> +  * Upload to 'stable' as security team rejected a DSA to
> +    'stretch-security' (no justification)
>
> The changelog is not the place for such commentary - please remove it.
>
> With the above changes made, and assuming that the resulting package
> has been tested on stretch, please feel free to upload.

As per Social Contract #3 I do have to explain to my users why they get
the security fix after the disclosure.
This is not a commentary, this is purely factual.

Please advise.

- Sylvain