Hi Jörg! On Fri, Jul 12, 2019 at 11:36:13AM +0200, Jörg Frings-Fürst wrote: > tags 931878 +pending > thanks > > Hello Salvatore, > > I have the libonig release 6.9.2 with both upstream fixes for the CVEs > ready for upload. > > It is uploaded to mentors[1] and into the git[2]. > > Should the upload of the package be handled by the security team? > Or can I take care of it myself?
Those issues do not really warrant a DSA on it's own, cf. security-tracker entries which were marked no-dsa already. But: Ideally as first follows an unstable upload addressing those issues. Then ideally, and time permitting for you, propose to stable release managers an update for libonig fixing those issues isolalated for upcoming point releases for buster and for stretch. Cf. https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable Does this help? Regards, Salvatore
