[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2021-32642 in radsecproxy

Hi Sven,

> > Thanks for preparing a package and, at a quick glance, I would be
> > happy to upload it. Just to 100% check though:  you are not in a
> > position to upload it, create and publish a DLA, update the website,
> > etc.? (Just avoiding duplicate work.)

> No, I am just a sponsored uploader, not a DD or DM.
>
> As for the security issue: two example scripts were vulnerable but those
> are not installed into any bin-directory in Debian and only shipped in
> the examples/ directory in the documentation.

Ah indeed -- I saw just after I sent my previous email. In that
case, I think this will almost certainly be marked by the [non-LTS]
Security Team to the effect that it does not justify an update.

I'll ultimately leave it up to whoever is on LTS frontdesk duty this
week, but I suspect we will do the same too. Happy to do the actual
upload if FD believes the vulnerability does warrant an update, mind
you. (Thanks either way, of course.)


Best wishes,

--
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-
Reply to: