Re: imagemagick
On Wed, 27 Jan 2016, Thorsten Alteholz wrote:
> On Tue, 26 Jan 2016, Brian May wrote:
> >Just wondered why imagemagick was marked in data/dla-needed.txt?
>
> at least someone found these issues so remarkable that an entry in our CVE
> list exists.
This is not a proper answer. Not all CVE get fixed, and even more so TEMP-*
entries. You did your own analysis when you added them to dla-needed.txt.
> >Also, at what point do we decide that a CVE is needed for issues like
> >this?
>
> We don't decide about CVEs, they are assigned by Mitre. We just do DLAs
> whenever one is needed and this depends on the severity and/or the number of
> issues ...
For a TEMP-* issues like we have here, we are entitled to request a CVE by
posting to the oss-security list and requesting a CVE to be assigned.
So the question is legitimate.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Reply to: