Hi Daniel, On Thu, Oct 08, 2015 at 01:05:30PM +0200, Daniel Stender wrote: > On 08.10.2015 13:00, Salvatore Bonaccorso wrote: > > Hello Daniel, > > > > On Thu, Oct 08, 2015 at 12:20:27PM +0200, Daniel Stender wrote: > >> Hello, > >> > >> there was a bug reported on gummi/0.6.5-3 [1], the program uses > >> predictable filenames in /tmp [2]. > >> > >> I'm going to fix that problem now (upstream is dead). Question: do > >> we have a (minor) security related problem here, which also needs to > >> be fixed for stable? I've learned from another case that this might > >> be a problematic race condition [3]. > > > > Thanks for going to fix this in unstable already. For wheezy and > > jessie: This issue does not warrant on it's own a DSA, in particular > > since such issues are mitigated in Debian: cf. > > https://www.debian.org/releases/stable/amd64/release-notes/ch-whats-new.en.html#security > > > > But: Could you fix this in wheezy and jessie via the proposed-updates > > mechanism? See > > https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable > > > > Regards, > > Salvatore > > Thx for the quick reply!
You are welcome! > Yes, o.k., I'm going to fix this as non-dsa over proposed updates. I guess > a CVE request on this is not necessary, is it? Are you going to create an > entry in the security tracker, anyway? I have actually already created a tracker entry, see https://security-tracker.debian.org/756432 . For the CVE request: not absolutely necessary but helps identifying it across various security trackers. Do you want to request a CVE on your own? This needs to be done on the oss-security mailinglist: http://oss-security.openwall.org/wiki/mailing-lists/oss-security Regards, Salvatore
