Quoting Salvatore Bonaccorso (2020-03-26 16:09:56) > Hi Jonas, > > On Thu, Mar 26, 2020 at 03:19:45PM +0100, Jonas Smedegaard wrote: > > Quoting Salvatore Bonaccorso (2020-03-26 14:56:39) > > > Hey Jonas! > > > > > > [Cc'ing security team address] > > > > > > On Thu, Mar 26, 2020 at 12:13:34PM +0100, Jonas Smedegaard wrote: > > > > Quoting Salvatore Bonaccorso (2020-03-25 21:07:13) > > > > > The following vulnerability was published for libunivalue. > > > > > > > > > > CVE-2019-18936[0]: > > > > > | UniValue::read() in UniValue before 1.0.5 allow attackers to > > > > > | cause a denial of service (the class internal data reaches an > > > > > | inconsistent state) via input data that triggers an error. > > > > > > > > > > > > > > > If you fix the vulnerability please also make sure to include the > > > > > CVE (Common Vulnerabilities & Exposures) id in your changelog > > > > > entry. > > > > > > > > > > For further information see: > > > > > > > > > > [0] https://security-tracker.debian.org/tracker/CVE-2019-18936 > > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18936 > > > > > [1] https://github.com/jgarzik/univalue/pull/58 > > > > > > > > I have prepared fixed packages for stretch and buster for this > > > > issue. > > > > > > > > In case you want to examine my work (I how highly appreciate that!) > > > > they are available on newly created branches debian/buster and > > > > debian/stretch in git > > > > g...@salsa.debian.org:cryptocoin-team/libunivalue.git a.k.a. > > > > https://salsa.debian.org/cryptocoin-team/libunivalue.git > > > > > > > > How do I proceed? > > > > > > Many thanks for working on fixes in all affected branches. I quickly > > > skimmed over the cherry-picked patch and it looks good to me. That > > > said though the issue looks to me more a no-DSA candidate, and could > > > be fixed in a regular point release. > > > > > > Unless you feel I'm overlooking something important, can I route you > > > there? > > > https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions > > > > > > contains some information. > > > > I think you know better than me which types of CVEs are DSA candidates. > > > > If you consider this a non-DSA bug then it seems (from above referenced > > URL) that the release managers prefer that you apply a "non-DSA" tag in > > the CVE tracker. > > Yes which I did actually already earlier[1] while replying to you > here :) > > [1] > https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29eb855aeb7733cbe600080b2277fee115c6cff0
Ah, then it simply takes time to appear at https://security-tracker.debian.org/tracker/source-package/libunivalue (where I checked before posting my request/suggestion). Thanks, I will follow the *-proposed-updates approach. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
