Re: Gtk2 1.2495 (stable) available

Hi Tosten,

Torsten Schoenfeld wrote (28 Jan 2015 19:31:55 GMT) :
On 28.01.2015 17:51, intrigeri wrote:

Thanks. I've not seen a CVE request on oss-security (could have missed
it, though). Will it be allocated in another way, e.g. from the Red
Hat pool? A CVE would help distros a lot.

No, we haven't done any kind of official security-related announcement.
Do you really need such an "official" and elaborate effort for this
kind of bug fix?

*I* don't need this since I read this list :)

But for other operating systems, yes, a CVE is needed. In the case at
hand, 3 weeks after the bug was fixed:

  * Fedora 20 and 21 have patched it
  * Debian still hasn't patched it (my fault)
  * Ubuntu hasn't patched it
  * OpenSUSE hasn't patched it

=> I guess that some major distros have nobody subscribed to
gtk-perl-list@ (no big surprise, considering the amount of Perl
modules they're packaging), and thus haven't heard of this potential
security issue yet. That's one very good reason to issue a CVE in
my opinion.

These kinds of fixes are done all over the place all the time
without special announcements.

IMO that's a problem that all OS security teams everywhere are
struggling against. A good explanation of why a CVE is needed was
provided a few weeks ago by Kurt Seifried (Red Hat product security):


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]