[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#852998: jessie-pu: package dropbear/2014.65-1



Control: tags -1 + confirmed

On Sat, 2017-01-28 at 20:38 +0100, Guilhem Moulin wrote:
> Moritz Mühlenhoff from the Security Team suggested to fix dropbear's
> known vulnerabilities (CVE-2016-3116 and CVE-2016-740[6-8]) via a point
> release, since they don't warrant a DSA.
[...]
> Could you consider to have it included in the upcoming point release?

Please go ahead.

btw:

++	for (i = 0; s[i] != '\0'; i++) {

is there a reason that isn't using strlen(s)?

> (BTW I
> was not maintaining dropbear yet when Jessie was released.  Therefore -1+deb8u1
> looks like an NMU with invalid version number.

Nope, it looks like what it is - an upload to stable. The concept of
NMUs is basically irrelevant for stable.

> Should I leave it like this,
> should I add the proper suffix, or should I add myself as maintainer?)

+deb8u1 *is* the proper suffix.

If you're prepared to maintain the package in jessie then feel free to
update the Maintainer: field, but that changes nothing about what the
correct version for the package is.

Regards,

Adam


Reply to: