Hi On Tue, Apr 18, 2017 at 10:50:19AM +0900, Hideki Yamane wrote: > I'm just curious, Ubuntu developer said that there was no embargo for > eject package vulnerability with Debian, is it true and if so, why? > > https://bugs.launchpad.net/ubuntu/+source/eject/+bug/1673627/comments/3
Yes this is true. All that is happening after dropping the privileges should be from trusted source (kernel). The fixes were simple enough and eject package builds fast enough that there was no need to have an exact timeframe when Ubuntu and Debian needed to push an update in sync. To be on the safe side rather than sorry afterwards, Debian has released updates as well relatively quickly after the issue went public via Ubuntu, though. Hope this helps, Regards, Salvatore
