[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security update of nettle

fredagen den 5 augusti 2016 22.16.29 skrev  Ola Lundqvist:
> Hi Magnus and LTS team
> Magnus, Niels and I have been discussing the nettle update due to
> https://security-tracker.debian.org/tracker/CVE-2016-6489
> Magnus has started to prepare a wheezy update but had a few
> questions. Here are some information that you should know about.
> https://wiki.debian.org/LTS/Development
> One question from Magnus was what should be mentioned in the changelog.
> I suggest something like this:
> "Protect against potential timing attacks against exponentiation operations
> as described in CVE-2016-6489 RSA code is vulnerable to cache sharing
> related attacks."

Hmm, that sounds like two sentences in one...

> Magnus, please let me know if you want to upload the correction too and
> whether you want to issue the DLA or whether you want me to do that. We
> want to time the DLA and the upload so they are close to each other in time.

I think you can do that. But I should coordinate with the stable security team 
too. I suppose you're not involved with that?

> Magnus, if you decide to build the package for upload, please make sure to
> use the -sa option as wheezy-security need to know about the orig tar file.
> If not the package upload will be rejected.

OK, thanks.

Magnus Holmgren        holmgren@debian.org
Debian Developer 

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: