Control: tags -1 + confirmed
On Sat, 2017-01-28 at 20:38 +0100, Guilhem Moulin wrote:
> Moritz Mühlenhoff from the Security Team suggested to fix dropbear's
> known vulnerabilities (CVE-2016-3116 and CVE-2016-740[6-8]) via a point
> release, since they don't warrant a DSA.
[...]
> Could you consider to have it included in the upcoming point release?
Please go ahead.
btw:
++ for (i = 0; s[i] != '\0'; i++) {
is there a reason that isn't using strlen(s)?
> (BTW I
> was not maintaining dropbear yet when Jessie was released. Therefore
> -1+deb8u1
> looks like an NMU with invalid version number.
Nope, it looks like what it is - an upload to stable. The concept of
NMUs is basically irrelevant for stable.
> Should I leave it like this,
> should I add the proper suffix, or should I add myself as maintainer?)
+deb8u1 *is* the proper suffix.
If you're prepared to maintain the package in jessie then feel free to
update the Maintainer: field, but that changes nothing about what the
correct version for the package is.
Regards,
Adam
