Re: [SECURITY] [DLA 1283-1] python-crypto security update

[Ola Lundqvist <ola@inguza.com>]

Hi

Do we have a fix that solve the problem? If we do we can simply upload a new version with the fix and describe it accordingly.

If it is fixed in some cases it may be considered fixed.

I have not checked the details about this specific problem.

// Ola

On 2 April 2018 at 10:22, Brian May <bam@debian.org> wrote:

Ola Lundqvist <ola@inguza.com> writes:

> We can simply send a DLA-1283-2 telling that it was not fixed.

Do we all agree that this is not fixed? It really depends on the user's
of this library and how they use it.

Lets assume we agree it isn't fixed.

I cannot think how to word this advisory. I don't think we have any
advisory yet that completely reverses an existing advisory. Maybe
somethin glike "DLA1283-1 indicated that we have a solution for
CVE-2018-6594, but this has been disputed by the researchers who found
the problem who claim the problem is not fixed."?

Also we would somehow have to update the security tracker to reflect
that the issue is not actually fixed.
--
Brian May <bam@debian.org>

--

 --- Inguza Technology AB --- MSc in Information Technology ----

/  ola@inguza.com                    Folkebogatan 26            \

|  opal@debian.org                   654 68 KARLSTAD            |

|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

 ---------------------------------------------------------------