On 2017-01-29 09:35:18, Martin Pitt wrote: > Control: notfound -1 2.75.1+dfsg-1 > > Hello Antoine, > > Antoine Beaupre [2017-01-28 15:56 -0500]: >> Someone pointed me to this note in the 2.75.1 changelog: >> >> E-book viewer: Prevent javascript in the book from accessing files >> on the computer using XMLHttpRequest. > > I did mention this in the 2.75.1 changelog > (https://tracker.debian.org/news/827355), so marking as fixed in the current > testing/unstable version.
Right, okay. Next time could you coordinate more closely with the security team? As a reminder, here's how security bugs should be handled in Debian: https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security In particular, in this case, I believe the process should have been: 1. file a bug in the BTS describing the issue (done now) 2. notify t...@security.debian.org of the issue (you can assume this is done now, as I have noticed the issue, but it would have been preferable to be proactive) 3. (optionnally) request a CVE at OSS-security with a CC upstream: http://oss-security.openwall.org/wiki/mailing-lists/oss-security 4. upload the package fixing the aforementionned bug (done) 5. (optionnally) help the security team backporting the patch to stable and (even more optionnally) to Debian LTS Point #2, above, is especially important. It's a pure coincidence that a developer with access to the security tracker (me, in this case) noticed this issue. I believe it is your responsibility, as package maintainer, to make sure security issues do not go unnoticed in Debian, so you should have at least sent an email to t...@security.debian.org with this issue. Do you want to take care of requesting the CVE? Are you available to help backporting the patch to jessie? I am the person that uploaded the backport, so I can take care of that bit. :) > The corresponding upstream commit is: > https://github.com/kovidgoyal/calibre/commit/3a89718664cb8c I have added this information in the security tracker, thanks! Are you aware of any other issues in Calibre's history that is not reflected in the security tracker that could affect currently supported Debian releases (which go all the way back to Wheezy now, 0.8.51!!): https://security-tracker.debian.org/tracker/source-package/calibre Thanks for any feedback! A. -- We tend to overestimate the effect of a technology in the short run and underestimate the effect in the long run. - Roy Amara
