Re: Wheezy update of w3m?
On Fri, 25 Nov 2016, Ola Lundqvist wrote:
> I did not want to tag then no-dsa (without further analysis) due to the
> following:
And you expected that further analysis to be done by whoever would pick
the package? In that case, you could have left a comment along the lines
of "security team tagged the issues as no-dsa, I'm not 100% sure we should
do the same in wheezy, please review the CVE and feel free to tag them
no-dsa as well if you agree with the security team's assessment".
> 1) Our recent discussion regarding heap overflow (causing arbitrary code
> execuition) not being protected by the compiler.
It's hard to assess this one. But here we need HTML input and I expect it
to be harder to inject birary data hosting code that we would like to
execute.
> 2) Stable security use no-dsa to mark that they are not immediately fixed
> but could be fixed in a point release. Oldstable security do not have a
> point release so therefore we should not use no-dsa as frequently.
Right, but they tend to write "Minor issue, can be fixed in a point
release" for the latter, this is not the case here.
> However if you think they are minor enough I'll happily mark them no-dsa as
> well.
Please do.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Reply to: