On 2016-05-17 14:01:24, Thorsten Alteholz wrote: > Hi Antoine, > > On Tue, 17 May 2016, Antoine Beaupré wrote: >> Both are what seem to be serious enough DOS attacks, and are not marked >> no-dsa or anything. You are still assigned the package in dla-needed.txt >> so for now I'll assume you will complete the work, but please do update >> the status correctly next time, or let us know of what the next steps >> are. > > I am not sure that I understand you. Can you please explain where there > has been an incorrect status?
Hmm... Well, maybe I'm confused. Let me share what I know. You recently published an Asterisk package to solve security issues in Debian LTS. I am referring to version 1.8.13.1~dfsg1-3+deb7u4 uploaded announced here: https://tracker.debian.org/news/765813 There was also a DLA released, two weeks ago: https://security-tracker.debian.org/tracker/DLA-455-1 https://lists.debian.org/debian-lts-announce/2016/05/msg00005.html This release fixed CVEs CVE-2014-2286, CVE-2014-4046, CVE-2014-6610, CVE-2014-8412, CVE-2014-8418 and CVE-2015-3008. However, there are still two more CVEs still open in the tracker: https://security-tracker.debian.org/tracker/source-package/asterisk That is: https://security-tracker.debian.org/tracker/CVE-2014-4047 and: https://security-tracker.debian.org/tracker/CVE-2014-2287 Those issues should have been fixed in the same upload, in my opinion, unless they came up during the last two weeks. I suspect they were already present because the CVE number dates the CVE back to 2014. Hence my first question: Could you clarify why CVE-2014-4047 and CVE-2014-2287 were not included in this upload? The comment regarding the status was that, since the CVEs were not marked as resolved, they should have been marked <no-dsa> (if you considered them minor enough to not warrant an upload) or you should have removed yourself from the "asterisk" line in dla-needed.txt so that others know you are not working on it anymore. I hope that clarifies my comments! Let me know if you need further clarification. A. -- Omnis enim ex infirmitate feritas est. All cruelty springs from weakness. - Lucius Annaeus Seneca (58 AD)
