[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: unzip CVE-2019-13232

Am 03.08.19 um 10:55 schrieb Sylvain Beucler:
> When an early fix is more likely to introduce regressions than protect
> users from real-world attacks, don't we mark it as 'postponed'?

We only postpone a fix if there is a minor issue and it is not worth
fixing via a standalone update. Every fix has in theory the potential to
introduce a regression because we change something. The answer can't be
to stop fixing bugs but to evaluate the possible impact of a change and
if necessary correct the patch in another step. If the risk of a
regression outweighs the benefit of a fix we usually mark the CVE as
"ignored", e.g. when upstream introduces a new security option that
requires a lot of code refactoring but only improves the security for
non-default setups in rather uncommon scenarios.



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: