El 23/10/24 a las 13:03, Arturo Borrero Gonzalez escribió: > Hi, sorry for the late follow up. > > On 10/16/24 00:38, Santiago Ruano Rincón wrote: > > > > Again, you can also ask upstream. They are in a better position to tell > > you if the vulnerability is present in 3.61 or not. > > > > For the record, I have just now sent an email to upstream: > > https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/h3Q2S0n2vTg/m/-moy2IT7AQAJ > > > > > > > So, I wonder if the commit introducing the vulnerability has been > > > incorrectly identified? > > > > Where does that reference (the introducing commit) come from? > > > > I have no idea, I haven't investigated that bit.
I added the reference to the commit that introduced the vulnerability after you committed it to the elts security tracker. At a first glance, the reference made sense, but I could be wrong (too?). If you are unsure about the origin of the reference and you are unsure that it effectively introduced the issue, I would strongly suggest to remove it from the security tracker data to avoid creating any more confusion. Again, upstream may help here. Cheers, -- Santiago
signature.asc
Description: PGP signature
