Quoting Salvatore Bonaccorso (2020-03-26 14:56:39) > Hey Jonas! > > [Cc'ing security team address] > > On Thu, Mar 26, 2020 at 12:13:34PM +0100, Jonas Smedegaard wrote: > > Quoting Salvatore Bonaccorso (2020-03-25 21:07:13) > > > The following vulnerability was published for libunivalue. > > > > > > CVE-2019-18936[0]: > > > | UniValue::read() in UniValue before 1.0.5 allow attackers to > > > | cause a denial of service (the class internal data reaches an > > > | inconsistent state) via input data that triggers an error. > > > > > > > > > If you fix the vulnerability please also make sure to include the > > > CVE (Common Vulnerabilities & Exposures) id in your changelog > > > entry. > > > > > > For further information see: > > > > > > [0] https://security-tracker.debian.org/tracker/CVE-2019-18936 > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18936 > > > [1] https://github.com/jgarzik/univalue/pull/58 > > > > I have prepared fixed packages for stretch and buster for this > > issue. > > > > In case you want to examine my work (I how highly appreciate that!) > > they are available on newly created branches debian/buster and > > debian/stretch in git > > g...@salsa.debian.org:cryptocoin-team/libunivalue.git a.k.a. > > https://salsa.debian.org/cryptocoin-team/libunivalue.git > > > > How do I proceed? > > Many thanks for working on fixes in all affected branches. I quickly > skimmed over the cherry-picked patch and it looks good to me. That > said though the issue looks to me more a no-DSA candidate, and could > be fixed in a regular point release. > > Unless you feel I'm overlooking something important, can I route you > there? > https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions > > contains some information.
I think you know better than me which types of CVEs are DSA candidates. If you consider this a non-DSA bug then it seems (from above referenced URL) that the release managers prefer that you apply a "non-DSA" tag in the CVE tracker. Thanks for your help, - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
