[22:54] <jonesv> Say Ubuntu 20.04 ships a package (in universe) that has a critical CVE. It ships version 5.3, and the CVE was fixed in 5.4. What process should I follow to try to get the package updated to 5.4? I have been reading https://packaging.ubuntu.com/html/, but it's not completely clear to me because I don't have a patch/bugfix, I just know that there is a minor update of that package that fixes it
[22:55] <jonesv> (it's for python3-yaml: https://scout.docker.com/vulnerabilities/id/CVE-2020-14343)
[22:55] -ubottu:#ubuntu-motu- A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary ... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14343>
[23:01] <RikMills> jonesv: accooring to the ubuntu changelog, 5.3.1-1ubuntu0.1 includes a security update for that CVE by applying a patch
[23:01] <RikMills> https://launchpad.net/ubuntu/+source/pyyaml/5.3.1-1ubuntu0.1
[23:23] <rbasak> jonesv: also see: https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions
[23:25] <rbasak> And https://ubuntu.com/security/CVE-2020-14343
[23:25] -ubottu:#ubuntu-motu- A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary ... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14343>