Hi
I was about to remove runc from dla-needed but since Adrian sent out a question email about the removal I thought one more time. (I'm trying to learn from my mistakes) :-)
I'm getting a little confused about the notes about runc in dla-needed.
It says Complete fix for CVE-2024-21626 would require backport of ...
But CVE-2024-21626 looks like it is already fixed by DLA-3735-1.
If one look at the status information in the data/CVE/list it looks like it is completely corrected.
But from the dla-needed note it looks like it is not. What is it?
Is it a sufficient fix?
Should we issue a new CVE for the remaining part?
Should it be fixed?
Should that remaining part be ignored?
My assumption is the following:
The CVE is not completely fixed but fixing the rest is not worth doing.
With that assumption I'm now removing the entry from dla-needed.
Please let me if this is not correct.
I have moved the note from dla-needed to the CVE itself.
Cheers
// Ola
-- --- Inguza Technology AB --- MSc in Information Technology ----
---------------------------------------------------------------