Ola Lundqvist <o...@inguza.com> writes: > We can simply send a DLA-1283-2 telling that it was not fixed.
Do we all agree that this is not fixed? It really depends on the user's of this library and how they use it. Lets assume we agree it isn't fixed. I cannot think how to word this advisory. I don't think we have any advisory yet that completely reverses an existing advisory. Maybe somethin glike "DLA1283-1 indicated that we have a solution for CVE-2018-6594, but this has been disputed by the researchers who found the problem who claim the problem is not fixed."? Also we would somehow have to update the security tracker to reflect that the issue is not actually fixed. -- Brian May <b...@debian.org>