[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Should bind9 be marked no-dla?

On Fri, Jul 08, 2016 at 11:39:22PM -0400, Roberto C. Sánchez wrote:
> I was looking over some of the packages which are still in need of DLAs.
> I saw that bind9 is listed as being vulnerable to CVE-2016-6170, but
> that is been marked as no-dsa for jessie [0].
> Should it be marked as no-dla for wheezy based on the issue being minor?

At Debconf we discussed that since LTS doesn't have point releases -
where minor issues can be fixed by the maintainer - we should use no-dsa
very cautiously and rather be on the safe side.

I'd rather fix the CVE in this case rather than marking it as no-dsa.

 -- Guido

Reply to: