Re: Security vulnerability CVE-2024-53849 in editorconfig (bookworm and testing)
On November 28, 2024 11:31:51 PM PST, Salvatore Bonaccorso <carnil@debian.org> wrote:
>
>On Wed, Nov 27, 2024 at 11:32:32PM -0800, Hong Xu wrote:
>> On Wed 2024/11/27 23:21:42-0800 (PST), Salvatore Bonaccorso wrote:
>> > Hi Hong,
>> >
>> > On Tue, Nov 26, 2024 at 11:29:58PM -0800, Hong Xu wrote:
>> > > I am a maintainer of the upstream of editorconfig. I added
>> > > CVE-2024-53849 to the CVE database today. This is related to the
>> > > editorconfig package in Debian.
>> > >
>> > > Additionally, the security fix was available about 9 months ago, in
>> > > case this information matters (only realized it wasn't in CVE today,
>> > > my bad).
>> >
>> > Yes thanks a lot. We are tracking the CVE as
>> >
>> > https://security-tracker.debian.org/tracker/CVE-2024-53849
>> >
>>
>> Thanks Salvatore. In the future, should I always report new CVE
>> items from packages maintained by me to this mailing list? Or,
>> should I trust the Debian Security Team would associate new items in
>> CVE with Debian packages? I couldn't find related information on the
>> website...
>
>We regularly review the new CVEs from e.g. the MITRE feed so would
>catch that as well. If an issue is yet unfixed in Debian unstable you
>could help with by filling as well directly a bug to the package with
>adding the 'security' tag and we would add this cross-reference
>metadata as well to the tracker.
>
>does this helps?
>
That's clear, thanks!
Reply to: