Bug#906012: libxcursor: CVE-2015-9262

[Bjoern <brn@iinet.net.au>]

On 31/08/18 23:46, Julien Cristau wrote:
> Process questions are very much off-topic for this bug report, but...
>
> On 08/30/2018 09:43 AM, Bjoern wrote:
> > As I am clearly unfamiliar with your processes, I really would
> > appreciate the clarification to better my understanding and perhaps
> > quell my concerns:
> >
> >   * How far away is the 9.6 point release (given that 9.5 was released
> > just over 1.5 months ago)?
> The aim is to have point releases roughly every couple of months.  In
> practice anywhere between 2 to 4 is common.
>
> >   * Why could the issue not be dealt with by simply supplying the fix in
> > the nearer term as a security update?  Would it not be better to err on
> > the side of caution?
> Any change in stable comes with risk (e.g. of regressions), it comes
> with a cost both to the security team and to all users who need to apply
> the update.  So the security team and/or package maintainers make a
> risk/cost vs benefit analysis for any given issue and decide whether to
> leave it unfixed or fix it through in a point release or fix it through
> security.debian.org.
>
> Cheers,
> Julien
Thanks for some follow up Julien and the guide concerning the point 
release scheduling.  My concerns do however remain in regard to this 
libxcursor bug.

Does not the same risk/cost vs benefit analysis apply to old-stable 
which did receive the patch in a security update?

Still unanswered though is my third and main query in my previous post, 
quote:

" * I still would like to be pointed to the reference(s) and/or criteria 
used by the Security Team to determine that the issue is non-exploitable 
and a minor issue.  I have searched around to find references regarding 
CVE-2015-9262 being non-exploitable, but have so far not found anything 
suggesting such - hence my request for a pointer."

Someone?

Kindest regards,
Bjoern.