On Wed, Jun 29, 2022 at 11:51 AM Nilesh Patra <nil...@nileshpatra.info> wrote: > > On 6/29/22 12:18 PM, Mathieu Malaterre wrote: > > Hi there, > > > > It turns out there are three CVEs associated with DCMTK version older > > than 3.6.7. > > > > * > > https://www.hipaajournal.com/warning-issued-about-3-high-severity-vulnerabilities-in-offis-dicom-software/ > > > > Should we get in touch with debian-security to have them properly > > reported ? > > Yes. > Not to have them reported, but to coordinate uploads to security queue. > > > I am not clear about the process. > > Ah. > You might wish to read this paragraph[1,2] from dev-ref, explains it clearly. > > [1]: > https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#security-uploads > [2]: > https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security
Still not clear about the vocabulary. What does "NOT-FOR-US" mean? Eg: https://security-tracker.debian.org/tracker/CVE-2022-2119 It seems this contradict paragraph: * https://security-team.debian.org/security_tracker.html#about comments?