Re: imagemagick

To: Thorsten Alteholz <alteholz@debian.org>
Cc: debian-lts@lists.debian.org
Subject: Re: imagemagick
From: Raphael Hertzog <hertzog@debian.org>
Date: Thu, 28 Jan 2016 10:10:25 +0100
Message-id: <[🔎] 20160128091025.GA32648@home.ouaza.com>
Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, Thorsten Alteholz <alteholz@debian.org>, debian-lts@lists.debian.org
In-reply-to: <[🔎] alpine.DEB.2.02.1601272005270.15490@jupiter.server.alteholz.net>
References: <[🔎] 87mvrs6a9l.fsf@prune.linuxpenguins.xyz> <[🔎] alpine.DEB.2.02.1601272005270.15490@jupiter.server.alteholz.net>

On Wed, 27 Jan 2016, Thorsten Alteholz wrote:
> On Tue, 26 Jan 2016, Brian May wrote:
> >Just wondered why imagemagick was marked in data/dla-needed.txt?
> 
> at least someone found these issues so remarkable that an entry in our CVE
> list exists.

This is not a proper answer. Not all CVE get fixed, and even more so TEMP-*
entries. You did your own analysis when you added them to dla-needed.txt.

> >Also, at what point do we decide that a CVE is needed for issues like
> >this?
> 
> We don't decide about CVEs, they are assigned by Mitre. We just do DLAs
> whenever one is needed and this depends on the severity and/or the number of
> issues ...

For a TEMP-* issues like we have here, we are entitled to request a CVE by
posting to the oss-security list and requesting a CVE to be assigned.

So the question is legitimate.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Reply to:

References:
- imagemagick
  - From: Brian May <brian@linuxpenguins.xyz>
- Re: imagemagick
  - From: Thorsten Alteholz <alteholz@debian.org>

Prev by Date: Re: Summary of the LTS BoF held during DebConf
Next by Date: Re: imagemagick
Previous by thread: Re: imagemagick
Next by thread: mysql-5.5 packages available for test
Index(es):
- Date
- Thread