Hi Jonas, On Thu, Mar 26, 2020 at 03:19:45PM +0100, Jonas Smedegaard wrote: > Quoting Salvatore Bonaccorso (2020-03-26 14:56:39) > > Hey Jonas! > > > > [Cc'ing security team address] > > > > On Thu, Mar 26, 2020 at 12:13:34PM +0100, Jonas Smedegaard wrote: > > > Quoting Salvatore Bonaccorso (2020-03-25 21:07:13) > > > > The following vulnerability was published for libunivalue. > > > > > > > > CVE-2019-18936[0]: > > > > | UniValue::read() in UniValue before 1.0.5 allow attackers to > > > > | cause a denial of service (the class internal data reaches an > > > > | inconsistent state) via input data that triggers an error. > > > > > > > > > > > > If you fix the vulnerability please also make sure to include the > > > > CVE (Common Vulnerabilities & Exposures) id in your changelog > > > > entry. > > > > > > > > For further information see: > > > > > > > > [0] https://security-tracker.debian.org/tracker/CVE-2019-18936 > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18936 > > > > [1] https://github.com/jgarzik/univalue/pull/58 > > > > > > I have prepared fixed packages for stretch and buster for this > > > issue. > > > > > > In case you want to examine my work (I how highly appreciate that!) > > > they are available on newly created branches debian/buster and > > > debian/stretch in git > > > g...@salsa.debian.org:cryptocoin-team/libunivalue.git a.k.a. > > > https://salsa.debian.org/cryptocoin-team/libunivalue.git > > > > > > How do I proceed? > > > > Many thanks for working on fixes in all affected branches. I quickly > > skimmed over the cherry-picked patch and it looks good to me. That > > said though the issue looks to me more a no-DSA candidate, and could > > be fixed in a regular point release. > > > > Unless you feel I'm overlooking something important, can I route you > > there? > > https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions > > > > contains some information. > > I think you know better than me which types of CVEs are DSA candidates. > > If you consider this a non-DSA bug then it seems (from above referenced > URL) that the release managers prefer that you apply a "non-DSA" tag in > the CVE tracker.
Yes which I did actually already earlier[1] while replying to you here :) [1] https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29eb855aeb7733cbe600080b2277fee115c6cff0 Regards, Salvatore
