Re: [SECURITY] [DLA 1283-1] python-crypto security update
- To: Ola Lundqvist <firstname.lastname@example.org>, Antoine Beaupré <email@example.com>
- Cc: Debian LTS <firstname.lastname@example.org>, email@example.com
- Subject: Re: [SECURITY] [DLA 1283-1] python-crypto security update
- From: Brian May <firstname.lastname@example.org>
- Date: Mon, 02 Apr 2018 18:22:57 +1000
- Message-id: <[🔎] email@example.com>
- In-reply-to: <CABY6=0keTefH4_964oC84z18GCRXOkfc6swbvMv07aJgmGd3tg@mail.gmail.com>
- References: <firstname.lastname@example.org> <email@example.com> <firstname.lastname@example.org> <email@example.com> <firstname.lastname@example.org> <CABY6=0keTefH4_964oC84z18GCRXOkfc6swbvMv07aJgmGd3tg@mail.gmail.com>
Ola Lundqvist <email@example.com> writes:
> We can simply send a DLA-1283-2 telling that it was not fixed.
Do we all agree that this is not fixed? It really depends on the user's
of this library and how they use it.
Lets assume we agree it isn't fixed.
I cannot think how to word this advisory. I don't think we have any
advisory yet that completely reverses an existing advisory. Maybe
somethin glike "DLA1283-1 indicated that we have a solution for
CVE-2018-6594, but this has been disputed by the researchers who found
the problem who claim the problem is not fixed."?
Also we would somehow have to update the security tracker to reflect
that the issue is not actually fixed.
Brian May <firstname.lastname@example.org>