Hi! On Sat, 2026-03-07 at 00:17:55 +0100, Salvatore Bonaccorso wrote: > On Fri, Mar 06, 2026 at 04:39:23PM +0100, Guillem Jover wrote: > > I'm not part of the Debian Security Team (I just maintain the inetutils > > package in Debian), but I think they assigned a CVE because there didn't > > seem to be one coming from upstream. I guess the expectation would be > > that if there's a new CVE to be assigned that would be handled by > > upstream, but if it's needed and it's not forthcoming they might assign > > another one? (Although the easier way forward would be to reuse the > > existing one, and issue an update for the DSA.) > > I just need to clarify one thing here: The CVE was not assigned by the > Debian CNA, but as there was no CVE assigned by the issue reported by > Ron, I requested one from MITRE. There was none assigned in time when > we released the DSA, and at that point TTBOMK the more general > issue/root cause indication by Justin Swartz was not known. So the CVE > request to MITRE was done specifically as for the issue found by Ron.
Right, sorry, as it seems like I forgot about this (where I was even CCed in later emails mentioning this)! Thanks, Guillem
