[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security vulnerability CVE-2024-53849 in editorconfig (bookworm and testing)

On Wed, Nov 27, 2024 at 11:32:32PM -0800, Hong Xu wrote:
> On Wed 2024/11/27 23:21:42-0800 (PST), Salvatore Bonaccorso wrote:
> > Hi Hong,
> > 
> > On Tue, Nov 26, 2024 at 11:29:58PM -0800, Hong Xu wrote:
> > > I am a maintainer of the upstream of editorconfig. I added
> > > CVE-2024-53849 to the CVE database today. This is related to the
> > > editorconfig package in Debian.
> > > 
> > > Additionally, the security fix was available about 9 months ago, in
> > > case this information matters (only realized it wasn't in CVE today,
> > > my bad).
> > 
> > Yes thanks a lot. We are tracking the CVE as
> > 
> > https://security-tracker.debian.org/tracker/CVE-2024-53849
> > 
> 
> Thanks Salvatore. In the future, should I always report new CVE
> items from packages maintained by me to this mailing list? Or,
> should I trust the Debian Security Team would associate new items in
> CVE with Debian packages? I couldn't find related information on the
> website...

We regularly review the new CVEs from e.g. the MITRE feed so would
catch that as well. If an issue is yet unfixed in Debian unstable you
could help with by filling as well directly a bug to the package with
adding the 'security' tag and we would add this cross-reference
metadata as well to the tracker.

does this helps?

Regards,
Salvatore
Reply to: