* Christoph Anton Mitterer <cales...@scientia.net>, 2014-06-22, 04:19:
- As you implemented your OpenPGP signature based verification system, you allow for both, downgrade and blocking attacks:
In practice, it means anyone who grabbed an old version of get-upstream-version.pl and its signature, and is capable of MITM, can still exploit bugs of this old version. For example, this bug:
https://lists.debian.org/20121212191044.gd29...@seestieto.com * Michael Gilbert <mgilb...@debian.org>, 2014-06-21, 22:34:
control: severity -1 important control: tag -1 -security
If remotely exploitable root security hole is not “critical” and is not a security problem, then I don't know what is.
Contrib doesn't get any security support.
If it was an upstream bug AND we couldn't get it fixed ourselves (due to licensing or lack of source) AND upstream was not willing to fix it either, then that would be justification for the wontfix tag (but not for any changes you made).
However, this is a bug specifically introduced by the Debian package. There is no excuse for not fixing it.
Users worried about security should avoid contrib and non-free.
Developers allergic to contrib and non-free should leave alone bugs against contrib and non-free packages.
-- Jakub Wilk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
