Hi Salvatore, thanks for following up!
On 30.10.19 17:33, Salvatore Bonaccorso wrote: > On Wed, Oct 30, 2019 at 11:27:34AM +0100, Moritz Schlarb wrote: >> fixed 923009 seafile/7.0.2-1 > > I guess I have lost some context here. Can you clarify the following > before I proceed to mark the fixed version for the CVE as well in the > security-tracker? > > The question is following: 923009, respective CVE-2013-7469 is > associated with upstream issue > https://github.com/haiwen/seafile/issues/350 . But there ws o closure > of this issue. In the previous BTS message you mentioned that the CVE > assignment was inaccurate, is the issue fixed with the new 0003 patch? Now that I think harder about it, it is probably not totally fixed since it is still possible to use libraries encrypted with the older encryption format version ( < 3 ). The patch just makes the new encryption version ( 3 ) work with GPL_CRYPTO. Since libraries are created by the server side component (not yet/ever in Debian), the used encryption version is not really configurable by the user here. What would be your interpretation of the relevant Debian guidelines in this case, where the foot-gun is still there, but at least the default should be better now? > Were you able to reach out to MITRE (via the webform) to have the > references and description updated? I filled it out (on 06.03.19 as CVE Request 652193 FWIW), but did never receive a response and it doesn't look like any changes were made... :( Regards, -- Moritz Schlarb Unix-Gruppe | Systembetreuung Zentrum für Datenverarbeitung Johannes Gutenberg-Universität Mainz Raum 01-331 - Tel. +49 6131 39-29441 OpenPGP Fingerprint: DF01 2247 BFC6 5501 AFF2 8445 0C24 B841 C7DD BAAF
signature.asc
Description: OpenPGP digital signature
