Re: security related bug report - no maintainer reaction for 1 year

To: debian-devel@lists.debian.org
Subject: Re: security related bug report - no maintainer reaction for 1 year
From: Brian Nelson <pyro@debian.org>
Date: Tue, 27 Jul 2004 19:12:12 -0700
Message-id: <[🔎] 87fz7c98xv.fsf@scabbers.bignachos.com>
Mail-followup-to: debian-devel@lists.debian.org
References: <[🔎] 20040721112904.GE7179@lst.de> <[🔎] 87u0w1iju8.fsf@papadoc.bayour.com> <[🔎] 87u0vuqsmu.fsf@deneb.enyo.de> <[🔎] 20040727005832.GB3821@alcor.net> <[🔎] 873c3ecgy6.fsf@scabbers.bignachos.com> <[🔎] 20040727071446.GA3589@finlandia.infodrom.north.de> <[🔎] 87y8l59wdi.fsf@scabbers.bignachos.com> <[🔎] 20040727181750.GA3854@alcor.net>

Matt Zimmerman <mdz@debian.org> writes:

> On Tue, Jul 27, 2004 at 10:46:01AM -0700, Brian Nelson wrote:
>
>> Like this?
>> 
>> http://www.mozilla.org/projects/security/known-vulnerabilities.html
>
> Yes, that list is an excellent place to start.  The next step is to
> determine which of those 80 bugs indeed affect woody, and justify a security
> update, and how to fix them.

Well, up to the November 2003 update, it lists the milestones affected,
and nearly all 63 of those bugs seem to apply to Woody's 1.0 version.
After that, they stopped listing the milestones, probably because it was
too difficult to figure out all the ones affected.

It would be a Herculean task to go through each bug, verify it applies
to Woody, backport the patch required to fix it (if it's even possible
to backport every patch considering how active Mozilla development has
been the past couple years), and come out with something usable.  I'm
certainly not about to try it, especially considering how much easier it
would be to just use the latest Mozilla version instead.

-- 
You win again, gravity!

Reply to:

Follow-Ups:
- Re: security related bug report - no maintainer reaction for 1 year
  - From: Matt Zimmerman <mdz@debian.org>
- Re: security related bug report - no maintainer reaction for 1 year
  - From: Mathieu Roy <yeupou@coleumes.org>

References:
- security related bug report - no maintainer reaction for 1 year
  - From: Johannes Poehlmann <johannes@lst.de>
- Re: security related bug report - no maintainer reaction for 1 year
  - From: Turbo Fredriksson <turbo@debian.org>
- Re: security related bug report - no maintainer reaction for 1 year
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: security related bug report - no maintainer reaction for 1 year
  - From: Matt Zimmerman <mdz@debian.org>
- Re: security related bug report - no maintainer reaction for 1 year
  - From: Brian Nelson <pyro@debian.org>
- Re: security related bug report - no maintainer reaction for 1 year
  - From: Martin Schulze <joey@infodrom.org>
- Re: security related bug report - no maintainer reaction for 1 year
  - From: Brian Nelson <pyro@debian.org>
- Re: security related bug report - no maintainer reaction for 1 year
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Re: [htdig-dev] Licensing issues...
Next by Date: Re: [htdig-dev] Licensing issues...
Previous by thread: Re: security related bug report - no maintainer reaction for 1 year
Next by thread: Re: security related bug report - no maintainer reaction for 1 year
Index(es):
- Date
- Thread