Re: How to handle freeimage package

To: Ola Lundqvist <ola@inguza.com>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: How to handle freeimage package
From: Adrian Bunk <bunk@debian.org>
Date: Mon, 8 Apr 2024 16:35:17 +0300
Message-id: <[🔎] ZhPylc+b1cCHJxEa@localhost>
In-reply-to: <[🔎] CABY6=0=j5sgtEAhP-_3D1X-miXjjbp=SYD_QX8-runfBKJfBpQ@mail.gmail.com>
References: <[🔎] CABY6=0=j5sgtEAhP-_3D1X-miXjjbp=SYD_QX8-runfBKJfBpQ@mail.gmail.com>

On Mon, Apr 08, 2024 at 12:06:25AM +0200, Ola Lundqvist wrote:
> Hi again
> 
> Today I looked at the freeimage package that we have in dla-needed.
> My conclusion is that we have 19 CVEs postponed with motivation "revisit
> when fixed upstream" and 23 CVEs that are in bullseye declared as no-dsa
> with the same motivation.
> 
> Since we have this postpone decision for the 19 CVEs we should declare the
> rest as postponed as well. This means that the package should go away from
> dla-needed after such an operation.
> 
> Or am I reasoning in the wrong way?
> 
> In fact I think all the ones with local DoS class should be declared "low"
> severity.
> 
> If I do not hear anything about this I will change this in the way I
> describe above.

The new issues were already there when I wrote
  Lack of upstream activity,
  postponed issues are "Revisit when fixed upstream
in dla-needed two weeks ago.

Since you decided to take freeimage anyhow, I'd suggest 
that you go through the CVEs and develop fixes for them
(but check with the LTS Coordinators first).

> Cheers
> 
> // Ola

cu
Adrian

Reply to:

References:
- How to handle freeimage package
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: Remove runc from dla-needed
Next by Date: Re: How to handle freeimage package
Previous by thread: Re: How to handle freeimage package
Next by thread: Re: Expanding the scope (slightly) of dla-needed.txt
Index(es):
- Date
- Thread