Am Tue, 27 Sep 2016 18:50:35 +0200 schrieb Florian Weimer <f...@deneb.enyo.de>:
> Debian is a CNA-covered product, mpg123 is part of Debian, > so it is unclear what to do here. I'll ask around. Well, so far I did not get a response from http://iwantacve.org/ (linked from http://cve.mitre.org/cve/data_sources_product_coverage.html, btw. both not defaulting to https) … I am not sure how long I should wait. Maybe the "Distributed Weakness Filing Project" consists of humans that don't work around the clock. If there is a number from Debian, it's fine by me. We should just avoid that there are two associations. And, well mpg123 is part of Debian and numerous other distros/ports trees, as well as a stand-alone product people install on their MS Windows machines, or under OS/2 (yes, really;-) … or in yet other contexts. Like just about any other open source project. I guess getting a CVE via the Debian umbrella might be the easiest route, though. Getting the fix to the users is my top priority. Even without CVE, a debian bug report hopefully triggers a good number of downstream distros at least. Alrighty then, Thomas
pgpE8kePrXF5y.pgp
Description: Digitale Signatur von OpenPGP
