[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Nettle and CVE-2018-16869

Ola Lundqvist <ola@inguza.com> writes:

> Thank you for the feedback. Well we can do interface changes as long as
> they are backwards compatible. The package is backwards compatible. The
> problem here is that the fix is in a new function that no software will use
> and hence the fix is useless unless we also change all software using
> nettle.
>
> How do we handle this kind of problem?

First question: Is it worth fixing this problem? It sounds like it might
be a relatively minor issue.

If we were to proceed, I would imagine we need to update the library
first and then update the applications.

Does updating the library in the archive require a DLA? It would add a
security update, but user's won't see it until updating the
applications.

> Should all software using the insecure function be mapped to the same CVE,
> or should there in fact be different CVEs for each package that is insecure?

In the past I think I have been steered towards one CVE per application,
however not sure if that advice applies for this specific case.
-- 
Brian May <bam@debian.org>
Reply to: