On Mon, 7 Dec 2009 21:21:14 +0100, Torsten Werner wrote: > tags 559765 + wontfix > thanks > > On Mon, Dec 7, 2009 at 5:10 PM, Michael Gilbert > <michael.s.gilb...@gmail.com> wrote: > > changelog notes are not sufficient justification to close a security > > issue. the source needs to be checked against a patch, so please find a > > way to track that down. the easiest way is probably to just ask > > upstream. thanks. > > No, I think it is your duty as the bug reporter to prove that the > package is still vulnerable.
because the consequences of security issues can be dire (although in this case the problem is fairly minor), it is much better to err on the side of caution when dealing with them. i can of course spend the time to study this problem and try to reproduce it, but since there are already claims that it is fixed, that seems like an unwise use of time. it is much more straightforward to simply check that the existing fix is applied. since you should have a relationship with upstream, it should be relatively straightforward to get a response from them. also, this package is your responsibility, so you can't expect others to do your job for you. if you think this request is overburdensome/unjustified, you can send an email to secur...@debian.org. be aware that they expect this level of thoroughness at a minimum. best wishes, mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org