[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Propose to ignore libxstream-java CVEs


Am Freitag, dem 27.08.2021 um 14:03 +0200 schrieb Sylvain Beucler:
> Hi,
> I wrote an analysis in June
> https://lists.debian.org/debian-lts/2021/06/msg00024.html
> https://lists.debian.org/debian-lts/2021/06/msg00040.html
> I believe we should postpone these CVEs with the goal of tracking how 
> /upstream/ reverse dependencies are adapting to the removal of the 
> blacklist, and backport the changes to the /packaged/ reverse dependencies.

Let me test the new whitelist approach in unstable first. I intend to upload
version 1.4.18 to unstable today. If there are no regressions we can just
switch to the whitelist because this is the most secure one. On the other hand
we can still keep adding problematic types to the blacklist for now which is
not too difficult either. These workarounds are documented here:


In my opinion we should not ignore the CVE but choose one of the two solutions
going forward.



Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: