Control: tags -1 - moreinfo Hi On 2016-12-31 17:03:32, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On Thu, 2016-12-29 at 23:15 +0100, Sebastian Ramacher wrote: > > I'd like to fix CVE-2013-7459 (#849495) in jessie via the next point release. > > The issue was marked as no-dsa. > > > > The proposed debdiff is attached. The same patch was applied to the package in > > unstable. > > + * Throw exception when IV is used with ECB or CTR (CVE-2013-7459) > > Do we know if any packages currently in Debian misuse the functions in > that way? (I realise that any that do are broken, but I'd prefer to find > that out /before/ releasing an point release that makes them explode if > possible.) I am not aware of any packages in jessie that pass IVs when using ECB or CTR. At least I did not find any using codesearch.d.n. This observation was also part of reason to declare the issue as no-dsa. Cheers -- Sebastian Ramacher
Attachment:
signature.asc
Description: PGP signature