Re: Nettle and CVE-2018-16869

[Ola Lundqvist <ola@inguza.com>]

Hi Brian

Thank you. I think we almost always issue a DLA if it is a security issue. The only known exception, to my knowledge, is when we update packages in order to build something else, like compiler and such that do it itself not contain any security update.

I'll look a little further into this but I also think this is rather minor.

Thank you for your advice

// Ola

On Thu, 10 Jan 2019 at 06:58, Brian May <bam@debian.org> wrote:

Ola Lundqvist <ola@inguza.com> writes:

> Thank you for the feedback. Well we can do interface changes as long as
> they are backwards compatible. The package is backwards compatible. The
> problem here is that the fix is in a new function that no software will use
> and hence the fix is useless unless we also change all software using
> nettle.
>
> How do we handle this kind of problem?

First question: Is it worth fixing this problem? It sounds like it might
be a relatively minor issue.

If we were to proceed, I would imagine we need to update the library
first and then update the applications.

Does updating the library in the archive require a DLA? It would add a
security update, but user's won't see it until updating the
applications.

> Should all software using the insecure function be mapped to the same CVE,
> or should there in fact be different CVEs for each package that is insecure?

In the past I think I have been steered towards one CVE per application,
however not sure if that advice applies for this specific case.
--
Brian May <bam@debian.org>

--

 --- Inguza Technology AB --- MSc in Information Technology ----

/  ola@inguza.com                    Folkebogatan 26            \

|  opal@debian.org                   654 68 KARLSTAD            |

|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

 ---------------------------------------------------------------