Hello, What is the right way to contact the Security Team? I have tried the tracker, and a variety of e-mail addresses but nothing yet (maybe I'm doing something wrong?). An update to Debian 7 was released today without a security fix for my package jquery-jplayer, even though the fix has been available for one solid month :-/
---------- Forwarded message ---------- From: Pau Garcia i Quiles <pgqui...@elpauer.org> Date: Fri, May 31, 2013 at 10:09 AM Subject: Fwd: Debian RT To: secur...@rt.debian.org Cc: secur...@debian.org, t...@security.debian.org, Vincent Bernat < ber...@debian.org> Hello, I have had no response for my security report in two weeks. Any news on allowing jquery-jplayer 2.1.0-3 in the security repository? Also, this is wrong: https://security-tracker.debian.org/tracker/CVE-2013-2023 ALL versions are vulnerable. The fix for stable is 2.1.0-3 (waiting for an answer from the Security Team) and the "fix" for testing/unstable is 2.3.4-1, which Vincent just sponsored. Thank you. ---------- Forwarded message ---------- From: Pau Garcia i Quiles <pgqui...@elpauer.org> Date: Thu, May 16, 2013 at 6:22 PM Subject: Debian RT To: secur...@rt.debian.org Cc: Vincent Bernat <ber...@luffy.cx> Hello, A new XSS vulnerability was discovered in my package jquery-jplayer. Useful information (as listed in the DD Reference) : - Whether or not the bug is already public The bug is public and classified as CVE-2013-2023 - Which versions of the package are known to be affected by the bug. Check each version that is present in a supported Debian release, as well as testing and unstable Upstream versions 2.2.19 and newer are affected, including 2.3.0 Wheezy contains 2.1.0-2, which is upstream's 2.1.0 plus three backported security fixes Testing contains 2.1.0-2 too Sid contains 2.3.0-1, which is upstream's 2.3.0, unchanged. I am packaging upstream's 2.3.2 as 2.3.2-1 and it will be ready later today. - The nature of the fix, if any is available (patches are especially helpful) Backport of upstream's fixes - Any fixed packages that you have prepared yourself (send only the .diff.gz and .dsc files and read Section 5.8.5.4, “Preparing packages to address security issues” first) jquery-jplayer 2.1.0-3 contains the fixes. It is available from mentors: http://mentors.debian.net/debian/pool/main/j/jquery-jplayer/jquery-jplayer_2.1.0-3.dsc Debdiff to 2.1.0-2 attached - Any assistance you can provide to help with testing (exploits, regression testing, etc.) - Any information needed for the advisory (see Section 5.8.5.3, “Security Advisories”) Please check CVE-2013-2023 -- Pau Garcia i Quiles http://www.elpauer.org (Due to my workload, I may need 10 days to answer) -- Pau Garcia i Quiles http://www.elpauer.org (Due to my workload, I may need 10 days to answer) -- Pau Garcia i Quiles http://www.elpauer.org (Due to my workload, I may need 10 days to answer)
jquery-jplayer_2.1.0-2_to_2.1.0-3.debdiff
Description: Binary data
