Hi Roberto, On Fri, Dec 20, 2019 at 10:37:50AM -0500, Roberto C. Sánchez wrote: > On Fri, Dec 20, 2019 at 08:36:00AM +0100, Salvatore Bonaccorso wrote: > > Hi Roberto, > > > > On Thu, Dec 19, 2019 at 08:06:19PM -0500, Roberto C. Sánchez wrote: > > > On Thu, Dec 19, 2019 at 09:19:19PM +0100, Salvatore Bonaccorso wrote: > > > > > > > > The following vulnerability was published for cyrus-sasl2. > > > > > > > > CVE-2019-19906[0]: > > > > Off by one in _sasl_add_string function > > > > > > > > If you fix the vulnerability please also make sure to include the > > > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > > > > Hi Team, > > > > > > Is anybody already working on this update? If not, I can start on it > > > possibly tomorrow or perhaps the day after. > > > > > > Salvatore, > > > > > > If I (or someone else on the team) prepares the upload, do we go ahead > > > and make the upload then let the security team handle the DSA > > > publication? > > > > I already started yesterday, and have buster and stretch packages, > > will likely release the DSA later today or tomorrow. So far tested > > just lightly for stretch but will double check explicitly against > > openldap. > > > Oh! That's excellent.
And released as DSA 4591-1. Note: The patch was not upstream commited at point of writing this. And I see Mike did as well release for LTS. > > unstable would need an update as well yet. > > > Of course. Ideally this happen soon, but the RC bug is enough to mark the 'stable' -> 'testing' regression. Just let me know if any of you can do it or if you would prefer a NMU with same patch (both approaches works for me). > > Can you later import then the changes in the packaging repository in > > the appropriate branches? > > > I could manage that in the coming days. Unless Ondrej or someone else > gets to it first. Thanks! Regards, Salvatore
