[11:37] <ingvar> Got a question on CVE-2020-11653 aka 1971504. I think it is important. Being new to the ubuntu bug/change process, I'd like to know if there is anything else I should do to get attention to this bug.
[11:37] <ingvar> I have added my comments to that bug
[11:42] <ingvar> https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1971504
[12:42] <rbasak> ingvar: that bug is confusing since it covers multiple issues. I suggest that if you want to track a specific issue in the bug tracker, you ensure that a bug exists that specifically tracks that issue only.
[12:44] <rbasak> ingvar: we generally cherry-pick security fixes, so you if you provide a suitable debdiff that fixes just a specific issue and it meets the security team's requirements, then they can sponsor it for you. See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures and https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue, and for help, use #ubuntu-security.
[12:45] <rbasak> According to https://ubuntu.com/security/CVE-2020-11653 Ubuntu is not affected by that CVE. Is that wrong? If so, please ask in #ubuntu-security for that entry to be fixed.
[12:56] <ingvar> rbasak: Thanks. Being used to the patching method in rpms, I find Debian/Ubuntu's quilt quite cumbersome. I may look into this, but I do _not_ guarantee anything. I have reported my findings in #ubuntu-security.