Re: Bug#905332: debdiff

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Bug#905332: debdiff

wferi
[hidden email] (Ferenc Wágner) writes:

> Christian Fischer <[hidden email]> writes:
>
>> On Fri, 03 Aug 2018 14:42:16 +0200 [hidden email] (Ferenc Wágner) wrote:
>>
>>> Unfortunately the CVE hasn't arrived yet; I'll
>>> forward it to you once it does.  My acknowledgement mail is of
>>> subject "CVE Request 548000 for CVE ID Request" from
>>> [hidden email] (just for the record).
>>
>> have you received a CVE for this issue yet? Tried to look around in
>> various sources but wasn't able to identify a published CVE for this
>> issue yet.
>
> I haven't received a CVE for this issue, unfortunately.  My original
> request was deflected by Mitre saying that the Apache Software
> Foundation should issue this CVE.  However, the Apache webpage states
> that they issue IDs for undisclosed vulnerabilities only.  My three
> followup mails asking for clarification remained unanswered by Mitre.
>
> To add more bad news, according to http://santuario.apache.org/ the just
> released 2.0.2 fixes a very similar bug, which might mean another DoS; I
> couldn't investigate yet.  But if it does, we'll need yet another CVE
> for that.  I'm sending out some queries.

Shibboleth upstream confirmed that it's basically more of the same
issue: https://alioth-lists.debian.net/pipermail/pkg-shibboleth-devel/2018-November/005382.html
"I would suggest you just attach this to the same CVE as before and
update it to reflect the versions involved."

Dear Security Team, please consider yourselves notified and please
advise how we should track/handle this.  I'm looking into backporting
the fix to the stable version 1.7.3-4+deb9u1.
--
Regards,
Feri

Reply | Threaded
Open this post in threaded view
|

Re: Bug#905332: debdiff

Adam D Barratt
On 2018-11-06 14:43, [hidden email] wrote:
> Dear Security Team, please consider yourselves notified and please

[hidden email] is *not* a contact point for the
Security Team, it's a public discussion list.

Regards,

Adam

Reply | Threaded
Open this post in threaded view
|

Re: Bug#905332: debdiff

Ferenc Wágner-3
"Adam D. Barratt" <[hidden email]> writes:

> On 2018-11-06 14:43, [hidden email] wrote:
>
>> Dear Security Team, please consider yourselves notified and please
>
> [hidden email] is *not* a contact point for the
> Security Team, it's a public discussion list.

Ah, thanks, Adam (https://security-team.debian.org/contact.html is
pretty confusing in its current state).  I sent a pointer to
[hidden email].
--
Regards,
Feri

Reply | Threaded
Open this post in threaded view
|

Re: Bug#905332: debdiff

Salvatore Bonaccorso-4
Hi Ferenc,

On Tue, Nov 06, 2018 at 05:12:12PM +0100, Ferenc Wágner wrote:

> "Adam D. Barratt" <[hidden email]> writes:
>
> > On 2018-11-06 14:43, [hidden email] wrote:
> >
> >> Dear Security Team, please consider yourselves notified and please
> >
> > [hidden email] is *not* a contact point for the
> > Security Team, it's a public discussion list.
>
> Ah, thanks, Adam (https://security-team.debian.org/contact.html is
> pretty confusing in its current state).  I sent a pointer to
> [hidden email].

For reference: https://www.debian.org/security/faq#contact the above
is an attempt to try to centralize documentation and for now consist
still of our notes what we want to write up.

I just added a note to the site.

Regards,
Salvatore