On Wed, Aug 3, 2022 at 12:22 AM Thomas Goirand <z...@debian.org> wrote:
> Hi Tim, > > Please don't top-post, we don't do that in Debian, and also: > Apologies! FYI, I'm sad too, but there's nothing I can do but pinging again the > stable release team about this. You hear me well: the stable release > team. Not the security team since they do not want to do a security > announcement and an update through stable-security (so it shall be done > through a point release, dealing with the stable release team). > > This means writing to 1002...@bugs.debian.org. That's the only email > address that has influence on accepting the fixed version. Feel free to > ping that email address until you get a reply. I agree that no reply > since the 29th of Jan is sad... > I still don't understand why the determination was made to not do a security announcement for this bug, given that it makes a Debian system that installs this package vulnerable to remote RCE without manual intervention. But given that determination was made, perhaps the best way I can contribute is by making sure this bug thread links to https://blog.zulip.com/2022/01/25/zulip-server-4-9-security-release/#cve-2021-43799-remote-code-execution-vulnerability-involving-rabbitmq, which has a bunch of public context about the impact of this bug, as well as background explanation that may help release managers who don't know much about Erlang/RabbitMQ. -Tim Abbott