Bug#646156: pu: package xorg-server/2:1.7.7-14

[vladz <vladz@devzero.fr>]

On Sat, Oct 29, 2011 at 03:03:49PM -0400, Michael Gilbert wrote:
> > On Sat, Oct 29, 2011 at 13:38:47 -0400, Michael Gilbert wrote:
> >> On Fri, Oct 21, 2011 at 3:12 PM, Julien Cristau wrote:
> >> I wonder if at least this one should be treated with a real urgency?
> >> On the surface its an info disclosure issue, which tend to be very low
> >> urgency, but it's a pretty bad once since its actually a disclosure of
> >> any file on the system (e.g. /etc/shadown), and there is an existing
> >> poc exploit:
> >> http://vladz.devzero.fr/Xorg-CVE-2011-4029.txt
> >>
> > Moritz said "use p-u", I'm not going to second-guess him.
> 
> This was before the real impact of the issue was clear (I believe),
> and definitely before the exploit code existed.  Personally, I think
> this needs to get out to squeeze users ASAP.

Sorry for disclosing the exploit but for your information, when I
discovered this vulnerability, the first thing I did is to send an email
to security@debian.org, it contained a full description and the PoC
(exploit) you are talking about (encrypted mail sent on Oct 9th 2011).
I never get any feedback.

Is security@debian.org still the good way to report vulnerabilities?

Regards,
vladz.