Hi Brian,
> https://security-tracker.debian.org/tracker/CVE-2019-9512
> https://security-tracker.debian.org/tracker/CVE-2019-9514
>
> Under "golang-1.7" release stretch it says "vulnerable".
>
> But in the notes, there is:
>
> [stretch] - golang-1.7 (Minor issue)
Good spot. I'm not quite sure wh
Hi Brian,
On 09/09/2020 00:55, Brian May wrote:
> Looking at:
>
> https://security-tracker.debian.org/tracker/CVE-2019-9512
> https://security-tracker.debian.org/tracker/CVE-2019-9514
>
> Under "golang-1.7" release stretch it says "vulnerable".
>
> But in the notes, there is:
>
> [stretch] - g
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
August was my 30th month as a Debian LTS paid contributor. I had a total of
10 hours. I spent all of them for the following:
* ark: Fix CVE-2020-24654 and CVE-2020-16116 partially (though GUI works
CLI still escapes path traversal archives). Rep
Hours worked:
31 hours
DLAs released:
DLA-2309-1 evolution-data-server
CVE-2020-16117
DLA-2320-1 golang-github-seccomp-libseccomp-golang
CVE-2017-18367
DLA-2326-1 htmlunit
CVE-2020-5529
DLA-2329-1 libetpan
CVE-2020-15953
DLA-2330-1 jruby
CVE-2017-17742 CVE-2019-8320 CVE-2019-8321 CVE-2019-832
Hi Brian
Yes it is not that good that we mark the issue as fixed. The question is
how we convince upstream that this is actually a problem.
Do we have an idea on how a good patch would look like?
If we are close to fixing the issue we can just wait and then issue a new
DLA-xxx-2 where we update
Ola Lundqvist writes:
> Do we have an idea on how a good patch would look like?
OK, I think a patch may not be as simple as I hoped.
CheckDetachedSignature() is where we decode the packet and determine the
hash function used.
But this function is not supplied the headers so it cannot check the
