Hi Magnus You are of course welcome to improve the language in the changelog. :-) I should probably have put quite marks to clarify the language, that the text after the CVE number is a part of the CVE name.
Like this: Protect against potential timing attacks against exponentiation operations as described in "CVE-2016-6489 RSA code is vulnerable to cache sharing related attacks." Regarding the upload. I'm not involved with the stable security team. Let me know when you have a build that I can check and upload. A debdiff and a statement what kind of tests you have performed are very good to have too, so we all have a possibility to check the change. Thanks in advance // Ola On Fri, Aug 5, 2016 at 11:28 PM, Magnus Holmgren <holmg...@debian.org> wrote: > fredagen den 5 augusti 2016 22.16.29 skrev Ola Lundqvist: > > Hi Magnus and LTS team > > > > Magnus, Niels and I have been discussing the nettle update due to > > https://security-tracker.debian.org/tracker/CVE-2016-6489 > > > > Magnus has started to prepare a wheezy update but had a few > > questions. Here are some information that you should know about. > > https://wiki.debian.org/LTS/Development > > > > One question from Magnus was what should be mentioned in the changelog. > > I suggest something like this: > > "Protect against potential timing attacks against exponentiation > operations > > as described in CVE-2016-6489 RSA code is vulnerable to cache sharing > > related attacks." > > Hmm, that sounds like two sentences in one... > > > Magnus, please let me know if you want to upload the correction too and > > whether you want to issue the DLA or whether you want me to do that. We > > want to time the DLA and the upload so they are close to each other in > time. > > I think you can do that. But I should coordinate with the stable security > team > too. I suppose you're not involved with that? > > > Magnus, if you decide to build the package for upload, please make sure > to > > use the -sa option as wheezy-security need to know about the orig tar > file. > > If not the package upload will be rejected. > > OK, thanks. > > -- > Magnus Holmgren holmg...@debian.org > Debian Developer -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
