Hi Guilhem [adding team@s.d.o to the loop]
On Tue, Aug 21, 2018 at 11:30:00PM +0200, Guilhem Moulin wrote: > Control: found -1 2014.65-1+deb8u2 > > Hi Salvatore, > > Wow, you're fast :-) I read the the discussion in the upstream list but > wasn't aware a CVE had been assigned yet. > > Upstream replied “I should have a patch in the next couple of days”, and > I'll propose an upload to stretch-security after that. (Hopefully the > patch will be easy to backport as ‘svr-auth.c’ hasn't changed much since > oldstable.) Thanks! We were discussing this related issue (similar to openssh) in the team yesterday, and we were thinking whilst we might issue a DSA for openssh, we tend to not issue a DSA for dropbear itself fo the similar issue. The use cases are likely different where they are used, so we think updating for the next point release via stretch-pu might suffice here for drobear. Would you agree and could you instead update dropbear for the next point release? Regards, Salvatore