Hi Magnus
You are of course welcome to improve the language in the changelog. :-)
I should probably have put quite marks to clarify the language, that the text after the CVE number is a part of the CVE name.
Like this:
Protect against potential timing attacks against exponentiation operations
as described in "CVE-2016-6489 RSA code is vulnerable to cache sharing
related attacks."
Regarding the upload. I'm not involved with the stable security team. Let me know when you have a build that I can check and upload. A debdiff and a statement what kind of tests you have performed are very good to have too, so we all have a possibility to check the change.
Thanks in advance
// Ola