[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: following or getting ahead of Stable



On Wed, Dec 11, 2024 at 04:33:20PM -0500, Roberto C. Sánchez wrote:
> 
> In summary: let's not prepare DLAs for only one or two low priority CVEs
> (for the reasons discussed above), but let's certainly include the fixes
> when fixing other high priority CVEs. This should be fairly close to
> what we are already doing.
> 
To further clarify: if there are "many"[0] low priority CVEs, then it
may still warrant fixing them all via a DLA (even without a high
priority CVE being present).

One example of this is qemu, which currently has ~30 CVEs affecting
bullseye. (Thanks to Santiago for pointing out this example.)

Quickly looking through them, there is enough there to warrant working
towards a qemu DLA, even without a higher priority CVE to drive that.

Regards,

-Roberto

[0] I purposefully used "many" rather than give a specific number. As
with much of what we do, there is judgment and professional opinion
involved. There are some instances where 6 CVEs might be sufficient to
warrant a DLA and other instances where 25 CVEs might be insufficient.

-- 
Roberto C. Sánchez


Reply to: