[Pkg-openldap-devel] planning another jessie upload
Luca BRUNO
lucab at debian.org
Fri Feb 6 12:10:44 UTC 2015
Luciano Bello <luciano at debian.org> ha scritto:
> On Wednesday 04 February 2015 20.00.41 Luca BRUNO wrote:
> > Should the two bugs above get a CVE assigned?
>
> Debian usually assign CVE from its pool when the issues is not public
> yet. In this cases, I think the best is to request the corresponding
> ids in
> http://oss-security.openwall.org/wiki/mailing-lists/oss-security
>
> > #776991 is a regression in 2.4.40, while #776988 affects all
> > releases but is not enabled by default. Both are remote crashers.
> > We plan to fix both in jessie and bpo, and the older one in wheezy.
>
> Given the low severity of the bugs, they can be fixed via s-p-u.
Ok. Then there is also #761406 which is a bit more critical and will be
fixed in the same upload. Corsac was involved before but I think no CVE
has been requested yet.
Can we proceed in requesting a CVE on our own and push to s-p-u?
For reference, we are queueing up 4 security fixes for the next
openldap revision here:
http://anonscm.debian.org/cgit/pkg-openldap/openldap.git/log/?h=wheezy
Thanks, Luca
--
.''`. | ~<[ Luca BRUNO ~ (kaeso) ]>~
: :' : | Email: lucab (AT) debian.org ~ Debian Developer
`. `'` | GPG Key ID: 0x3BFB9FB3 ~ Free Software supporter
`- | HAM-radio callsign: IZ1WGT ~ Networking sorcerer
More information about the Pkg-openldap-devel
mailing list