On Tue, 12 Apr 2022 11:17:51 +0200 Filip Hroch <hroch@physics.muni.cz> wrote: > Dear Colleagues, > > I have solved CVE-2021-3624 (#984761) sometime ago. > Yesterday, I have retraced the issue, and send an e-mail > with information to upstream author. > > Unfortunately, the patched upgrade is still (falsely?) > indicated as unsolved [1]. Had I overlooked any standard > procedure for announcements to security team? Yes - when preparing your debian/changelog entry for the upload. https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security-building > Or, is there > something other to do? The changes entry which closed the bug didn't mention the CVE: https://tracker.debian.org/news/1280781/accepted-dcraw-928-3-source-into-unstable/ That text comes from your changelog entry: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984761#35 Normally, a security bug is filed from a template which includes: If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. Compare with https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009044 and also with: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933996 The presence of a CVE in the Changes entry can then prompt the security team to update the tracker information. For this specific CVE, now that the bug is closed, a manual process can be done. -- Neil Williams ============= https://linux.codehelp.co.uk/
Attachment:
pgpvucEITDF3C.pgp
Description: OpenPGP digital signature