[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security update of nettle

Hi Magnus

You are of course welcome to improve the language in the changelog. :-)
I should probably have put quite marks to clarify the language, that the text after the CVE number is a part of the CVE name.

Like this:
Protect against potential timing attacks against exponentiation operations
as described in "CVE-2016-6489 RSA code is vulnerable to cache sharing
related attacks."

Regarding the upload. I'm not involved with the stable security team. Let me know when you have a build that I can check and upload. A debdiff and a statement what kind of tests you have performed are very good to have too, so we all have a possibility to check the change.

Thanks in advance

// Ola

On Fri, Aug 5, 2016 at 11:28 PM, Magnus Holmgren <holmgren@debian.org> wrote:
fredagen den 5 augusti 2016 22.16.29 skrev  Ola Lundqvist:
> Hi Magnus and LTS team
>
> Magnus, Niels and I have been discussing the nettle update due to
> https://security-tracker.debian.org/tracker/CVE-2016-6489
>
> Magnus has started to prepare a wheezy update but had a few
> questions. Here are some information that you should know about.
> https://wiki.debian.org/LTS/Development
>
> One question from Magnus was what should be mentioned in the changelog.
> I suggest something like this:
> "Protect against potential timing attacks against exponentiation operations
> as described in CVE-2016-6489 RSA code is vulnerable to cache sharing
> related attacks."

Hmm, that sounds like two sentences in one...

> Magnus, please let me know if you want to upload the correction too and
> whether you want to issue the DLA or whether you want me to do that. We
> want to time the DLA and the upload so they are close to each other in time.

I think you can do that. But I should coordinate with the stable security team
too. I suppose you're not involved with that?

> Magnus, if you decide to build the package for upload, please make sure to
> use the -sa option as wheezy-security need to know about the orig tar file.
> If not the package upload will be rejected.

OK, thanks.

--
Magnus Holmgren        holmgren@debian.org
Debian Developer



--
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Reply to: