On Fri, Dec 20, 2019 at 08:36:00AM +0100, Salvatore Bonaccorso wrote: > Hi Roberto, > > On Thu, Dec 19, 2019 at 08:06:19PM -0500, Roberto C. Sánchez wrote: > > On Thu, Dec 19, 2019 at 09:19:19PM +0100, Salvatore Bonaccorso wrote: > > > > > > The following vulnerability was published for cyrus-sasl2. > > > > > > CVE-2019-19906[0]: > > > Off by one in _sasl_add_string function > > > > > > If you fix the vulnerability please also make sure to include the > > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > > Hi Team, > > > > Is anybody already working on this update? If not, I can start on it > > possibly tomorrow or perhaps the day after. > > > > Salvatore, > > > > If I (or someone else on the team) prepares the upload, do we go ahead > > and make the upload then let the security team handle the DSA > > publication? > > I already started yesterday, and have buster and stretch packages, > will likely release the DSA later today or tomorrow. So far tested > just lightly for stretch but will double check explicitly against > openldap. > Oh! That's excellent.
> unstable would need an update as well yet. > Of course. > Can you later import then the changes in the packaging repository in > the appropriate branches? > I could manage that in the coming days. Unless Ondrej or someone else gets to it first. Regards, -Roberto -- Roberto C. Sánchez
