[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2020-10938/graphicsmagick and additional upstream change

On Mon, Mar 30, 2020 at 04:29:13PM +0100, Chris Lamb wrote:
> Hi Roberto,
> 
> > I am in favor of including both changes, but I am not certain about
> > whether it is better to mention both in the changelog and advisories or
> > whether it is better to only mention CVE-2020-10938.  I lean slightly
> > toward mentioning both CVE-2020-10938 and the thread safety issue, but
> > if that is not a good idea I can be easily persuaded.
> 
> Potentially "dumb" question here, but would it be a bad idea to
> mention the entire background and story, viz the CVE being assigned
> after the changes have been committed, etc.?
> 
> That would seem to be combine the maximum of clarity to our users with
> the minimum of soul-searching & ontological debate regarding what
> ought to be included or not by the security team(s).  :)
> 
Hi Chris,

Thanks for your insight.  That is a splendid suggestion.  I will
consider my default position on this, barring any significant revelation
which would invalidate it.

Security team,

How would you feel about including the entire upstream change and
wording the advisory in the way Chris has suggested?

Regards,

-Roberto

-- 
Roberto C. Sánchez
Reply to: