Re: [SECURITY] [DLA 1283-1] python-crypto security update

To: Brian May <bam@debian.org>
Cc: Ola Lundqvist <ola@inguza.com>, Antoine Beaupré <anarcat@orangeseeds.org>, Debian LTS <debian-lts@lists.debian.org>, security@debian.org
Subject: Re: [SECURITY] [DLA 1283-1] python-crypto security update
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 9 Apr 2018 07:26:44 +0200
Message-id: <[🔎] 20180409052644.cqtwnunwvwpmtd3n@lorien.valinor.li>
Mail-followup-to: Brian May <bam@debian.org>, Ola Lundqvist <ola@inguza.com>, Antoine Beaupré <anarcat@orangeseeds.org>, Debian LTS <debian-lts@lists.debian.org>, security@debian.org
In-reply-to: <[🔎] 878ta0d7qh.fsf@silverfish.pri>
References: <87lgfod5qw.fsf@prune.linuxpenguins.xyz> <87tvt2vq88.fsf@curie.anarc.at> <87po3qfu7g.fsf@silverfish.pri> <87r2o24qxa.fsf@curie.anarc.at> <CABY6=0keTefH4_964oC84z18GCRXOkfc6swbvMv07aJgmGd3tg@mail.gmail.com> <[🔎] 87zi2mdnku.fsf@silverfish.pri> <[🔎] CABY6=0kHbuLUcwa2ffkTtG0cn6t0cNm334dh3PL0K1imsBoaiQ@mail.gmail.com> <[🔎] 87tvste07d.fsf@silverfish.pri> <[🔎] CABY6=0mtk23CPMQCOhtQWindX74Qnh5O8u6KAEMpLg71e9+EZw@mail.gmail.com> <[🔎] 878ta0d7qh.fsf@silverfish.pri>

Hi Brian,

On Fri, Apr 06, 2018 at 07:06:30PM +1000, Brian May wrote:
> Ola Lundqvist <ola@inguza.com> writes:
> 
> > This is what I think we should do.
> >
> > 1) Send a new DLA telling that the fix is only partial and not complete and
> > in addtion that elgamal encryption is not supported by the library and
> > should not be used.
> >
> > 2) Mark the CVE as no-dsa/ignored in the security database.
> 
> If so, do we update the DLA 1283-1 to remove the fixed status? I assume
> we just have to update the entry in security-tracker/data/DLA/list?

Yes if that what you want to do, to remove the fixed status, just
remove the CVE entry from the DLA-1283-1 block in data/DLA/list.

At same time remove as well the cross-reference to DLA-1283-1 in
data/CVE/list, which OTOH otherwise will be dropped on next automatic
run.

Regards,
Salvatore

Reply to:

References:
- Re: [SECURITY] [DLA 1283-1] python-crypto security update
  - From: Brian May <bam@debian.org>
- Re: [SECURITY] [DLA 1283-1] python-crypto security update
  - From: Ola Lundqvist <ola@inguza.com>
- Re: [SECURITY] [DLA 1283-1] python-crypto security update
  - From: Brian May <bam@debian.org>
- Re: [SECURITY] [DLA 1283-1] python-crypto security update
  - From: Ola Lundqvist <ola@inguza.com>
- Re: [SECURITY] [DLA 1283-1] python-crypto security update
  - From: Brian May <bam@debian.org>

Prev by Date: Re: [SECURITY] [DLA 1283-1] python-crypto security update
Next by Date: libgcrypt11 same issue? Was: Re: [SECURITY] [DLA 1283-1] python-crypto security update
Previous by thread: Re: [SECURITY] [DLA 1283-1] python-crypto security update
Next by thread: LTS Report for March 2018
Index(es):
- Date
- Thread