Hi Moritz, Sorry for the late reply.
On Thu, Oct 31, 2019 at 11:39:52AM +0100, Moritz Schlarb wrote: > Hi Salvatore, > > thanks for following up! > > On 30.10.19 17:33, Salvatore Bonaccorso wrote: > > On Wed, Oct 30, 2019 at 11:27:34AM +0100, Moritz Schlarb wrote: > >> fixed 923009 seafile/7.0.2-1 > > > > I guess I have lost some context here. Can you clarify the following > > before I proceed to mark the fixed version for the CVE as well in the > > security-tracker? > > > > The question is following: 923009, respective CVE-2013-7469 is > > associated with upstream issue > > https://github.com/haiwen/seafile/issues/350 . But there ws o closure > > of this issue. In the previous BTS message you mentioned that the CVE > > assignment was inaccurate, is the issue fixed with the new 0003 patch? > > Now that I think harder about it, it is probably not totally fixed since > it is still possible to use libraries encrypted with the older > encryption format version ( < 3 ). The patch just makes the new > encryption version ( 3 ) work with GPL_CRYPTO. Since libraries are > created by the server side component (not yet/ever in Debian), the used > encryption version is not really configurable by the user here. > > What would be your interpretation of the relevant Debian guidelines in > this case, where the foot-gun is still there, but at least the default > should be better now? It depends, and there is not rule written in stone. In this case I was thinking of concluding to keep the issue open until at least upstream clarifies on https://github.com/haiwen/seafile/issues/350#issuecomment-548307815 (respectively if there will be a step towards not only making version 3 the fefault but disalowing as well the older formats). Do you disagree or agree on that? > > Were you able to reach out to MITRE (via the webform) to have the > > references and description updated? > > I filled it out (on 06.03.19 as CVE Request 652193 FWIW), but did never > receive a response and it doesn't look like any changes were made... :( Can you reping the autoreply you got asking for a status update? Regards, Salvatore
