Hacker News new | past | comments | ask | show | jobs | submit login

> Well, as one of those upstream authors whose code was patched: I was never contacted about it, so I never knew there was a requirement to be met, and so they carried around a bad patch for years, about which I knew nothing.

In my experience it's rather uncommon for a DD not to contact upstream. Would you mind sharing the package name and vulnerability so I and others can learn what happened?




If we're still talking about the Debian SSH key bug in 2008, here is the Debian bug (from 2006) that led to the security issue, which was discovered in 2008: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516.

Upstream was contacted about it: https://marc.info/?t=114651088900003&r=1&w=2




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: