Hi Sebastian, On Thu, Jan 02, 2020 at 06:10:06PM +0000, Sebastian Andrzej Siewior wrote: > On January 2, 2020 3:50:46 PM UTC, Salvatore Bonaccorso <car...@debian.org> > wrote: > >If you fix the vulnerability please also make sure to include the > >CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > There is no upstream release which includes this fix (except for the > 1.0.2 series). Should we quickly address this or is it okay to wait > for the next upstream release? I could do this if this is preferred > given that this is fixed in Stretch.
I think it's perfectly fine to wait for this until there is the next upstream release of openssl. I just filled the bug for have it tracked, but I think it's rather minor, and has not an elevated urgency to be now adressed via a DSA and cherry-pick the fix only. Regards, Salvatore