[Pkg-freeradius-maintainers] Bug#863673: Bug#863673: CVE-2017-9148: FreeRADIUS TLS resumption authentication bypass

Michael Stapelberg stapelberg at debian.org
Thu Jun 1 21:09:17 UTC 2017

Thanks, I agree that updating the FAQ would be good.

The original question of how to proceed still stands. I sent the patch in
my previous message; do you want me to upload it, or do you want to upload
it? If I should do it, let me state for the record that I have no idea what
I’m doing (I never uploaded to anything but unstable/experimental).

On Thu, Jun 1, 2017 at 9:34 AM, Salvatore Bonaccorso <carnil at debian.org>

> Hi
> On Thu, Jun 01, 2017 at 08:54:57AM +0200, Michael Stapelberg wrote:
> > I got the idea from https://www.debian.org/security/faq#upload. Is the
> > outdated, or did I read it wrong? If the latter, please elaborate so that
> > we can update the docs to be more clear.
> The idea behind that FAQ entry is to state that an upload should never
> be done without first having an ack from the security team. The
> dev-ref gives a broather view on how to handle security-issues, and
> interact with the team:
> https://www.debian.org/doc/manuals/developers-reference/
> ch05.en.html#bug-security
> Maybe we should rephrase a bit the FAQ entry itself.
> Regards,
> Salvatore

Best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-freeradius-maintainers/attachments/20170601/d26dfffe/attachment.html>

More information about the Pkg-freeradius-maintainers mailing list