libgcrypt11 same issue? Was: Re: [SECURITY] [DLA 1283-1] python-crypto security update

[Ola Lundqvist <ola@inguza.com>]

Hi all

I found another issue that looks very similar. It is 

https://security-tracker.debian.org/tracker/CVE-2018-6594

Should we treat it the same way, marking it as ignored?

Best regards

// Ola

On 9 April 2018 at 07:26, Salvatore Bonaccorso <carnil@debian.org> wrote:

Hi Brian,

On Fri, Apr 06, 2018 at 07:06:30PM +1000, Brian May wrote:
> Ola Lundqvist <ola@inguza.com> writes:
>
> > This is what I think we should do.
> >
> > 1) Send a new DLA telling that the fix is only partial and not complete and
> > in addtion that elgamal encryption is not supported by the library and
> > should not be used.
> >
> > 2) Mark the CVE as no-dsa/ignored in the security database.
>
> If so, do we update the DLA 1283-1 to remove the fixed status? I assume
> we just have to update the entry in security-tracker/data/DLA/list?

Yes if that what you want to do, to remove the fixed status, just
remove the CVE entry from the DLA-1283-1 block in data/DLA/list.

At same time remove as well the cross-reference to DLA-1283-1 in
data/CVE/list, which OTOH otherwise will be dropped on next automatic
run.

Regards,
Salvatore

--

 --- Inguza Technology AB --- MSc in Information Technology ----

/  ola@inguza.com                    Folkebogatan 26            \

|  opal@debian.org                   654 68 KARLSTAD            |

|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

 ---------------------------------------------------------------