[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of w3m?

On Fri, 25 Nov 2016, Ola Lundqvist wrote:
> I did not want to tag then no-dsa (without further analysis) due to the
> following:

And you expected that further analysis to be done by whoever would pick
the package? In that case, you could have left a comment along the lines
of "security team tagged the issues as no-dsa, I'm not 100% sure we should
do the same in wheezy, please review the CVE and feel free to tag them
no-dsa as well if you agree with the security team's assessment".

> 1) Our recent discussion regarding heap overflow (causing arbitrary code
> execuition) not being protected by the compiler.

It's hard to assess this one. But here we need HTML input and I expect it
to be harder to inject birary data hosting code that we would like to

> 2) Stable security use no-dsa to mark that they are not immediately fixed
> but could be fixed in a point release. Oldstable security do not have a
> point release so therefore we should not use no-dsa as frequently.

Right, but they tend to write "Minor issue, can be fixed in a point
release" for the latter, this is not the case here.

> However if you think they are minor enough I'll happily mark them no-dsa as
> well.

Please do.

Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Reply to: