Hi Brian Yes it is not that good that we mark the issue as fixed. The question is how we convince upstream that this is actually a problem.
Do we have an idea on how a good patch would look like? If we are close to fixing the issue we can just wait and then issue a new DLA-xxx-2 where we update the information telling that the previous fix was not complete. Best regards // Ola On Wed, 9 Sep 2020 at 00:26, Brian May <b...@debian.org> wrote: > Ola Lundqvist <o...@inguza.com> writes: > > > I agree with you about the hash part (the main part of it) of this CVE. > In > > fact this CVE is about two different things. If gnupg do hash validation > I > > think go should do the same. > > It concerns me that we have marked CVE-2019-11841 as resolved in > bullseye and sid, and we have no good procedures for "undoing" a DLA/DSA > that marks a CVE as resolved. This is something that has got in the past > also. > > I think it might be possible to update data/DLA/list or data/DSA/list > and remove the CVE from the DLA/DSA. Maybe then we would need to update > data/CVE/list also (unless this happens automatically). But then we have > still have the problem that the last email sent said that the issue was > fixed. > > > I was referring to the second part of the vulnerability described in > > "Moreover, since...". Now when I read about it, it is clear that it is > only > > referring to the PHP header part and not the rest of the text. I wonder > if > > that should be seen as a separate vulnerability, that people think the > > whole text is signed, while it is just a part of it... But that should > > probably be on the application layer on top of this library. > > Yes, it probably should have been two separate CVEs. Having two distinct > issues in one CVE gets confusing when only one issue gets resolved. > > If I understand this correctly, I believe this part was resolved. > -- > Brian May <b...@debian.org> > > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
