Re: Fwd: Cap'n Proto security advisory / Debian

[Tom Lee <debian@tomlee.co>]

Hey Niels,

On Mon, Mar 16, 2015 at 12:18 AM, Niels Thykier <niels@thykier.net> wrote:

At first glance, "critical" seems to be a "high" for these bugs.  A
critical bug:

"""makes unrelated software on the system (or the whole system) break,
or causes serious data loss, or introduces a security hole on systems
where you install the package."""

Unless this is a remote root exploit (e.g. capnproto is a service
running as root), I suspect "grave" might be more accurate[1].

[1] https://www.debian.org/Bugs/Developer#severities

Sure, makes sense -- I updated these bugs to severity "grave" earlier this evening.

 

> and will be preparing an upload to sid that I'd
> like to eventually flow into testing to address these bugs.
>
> Any problems or concerns in the interim, please let me know.
>
> Cheers,
> Tom
>

Excellent, do you have any ETA on the upload?

I'm not a DM so I'll need a sponsor to help me out with the actual upload, but I've just pushed a build of 0.4.1-3 to mentors.debian.org here: https://mentors.debian.net/package/capnproto. I've CCed Vincent Bernat who usually handles the capnproto uploads.

Let me know if there are any issues or concerns with the package on m.d.o & I'll get it sorted out.

Individual commits, if they're useful:

https://github.com/thomaslee/capnproto-debian/compare/debian/0.4.1-2...maint-0.4.1

Cheers,

Tom

--

Tom Lee / http://tomlee.co / @tglee