Re: Gtk2 1.2495 (stable) available
- From: intrigeri <intrigeri debian org>
- To: gtk-perl-list gnome org
- Subject: Re: Gtk2 1.2495 (stable) available
- Date: Wed, 18 Feb 2015 19:34:52 +0100
Hi Tosten,
Torsten Schoenfeld wrote (28 Jan 2015 19:31:55 GMT) :
On 28.01.2015 17:51, intrigeri wrote:
Thanks. I've not seen a CVE request on oss-security (could have missed
it, though). Will it be allocated in another way, e.g. from the Red
Hat pool? A CVE would help distros a lot.
No, we haven't done any kind of official security-related announcement.
Do you really need such an "official" and elaborate effort for this
kind of bug fix?
*I* don't need this since I read this list :)
But for other operating systems, yes, a CVE is needed. In the case at
hand, 3 weeks after the bug was fixed:
* Fedora 20 and 21 have patched it
* Debian still hasn't patched it (my fault)
* Ubuntu hasn't patched it
* OpenSUSE hasn't patched it
=> I guess that some major distros have nobody subscribed to
gtk-perl-list@ (no big surprise, considering the amount of Perl
modules they're packaging), and thus haven't heard of this potential
security issue yet. That's one very good reason to issue a CVE in
my opinion.
These kinds of fixes are done all over the place all the time
without special announcements.
IMO that's a problem that all OS security teams everywhere are
struggling against. A good explanation of why a CVE is needed was
provided a few weeks ago by Kurt Seifried (Red Hat product security):
http://www.openwall.com/lists/oss-security/2015/01/29/20
Cheers,
--
intrigeri
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
