Re: Security bugs in unmaintained/maintenerless librsvg

On Mon, Feb 02, 2015 at 11:31:38AM +0100, Dimstar / Dominique Leuenberger wrote:
On Sun, 2015-02-01 at 23:45 +0100, Olav Vitters wrote:
Hello distributors,

We've received various security bugs about librsvg. As that module is
unmaintained, these bugs have not been fixed. These bugs and various
others will be made public really soon. Possibly as of next week.

Maintainers for librsvg welcome. In any case, take note.

Feel free to discuss here or on desktop-devel-list gnome org (make sure
you're subscribed).
being part of a distribution team: do you have any information you can
share on this topic or do we have to wait it to become fully public?

Maybe we can even throw in some man power; worthy to be explored.

We received various details on bugs already. The normal process is that
we forward this to the maintainer and it is fixed. There's nothing in
place when there's no maintainer. As release team, we thought it was
maybe better to have a few security people on security gnome org 
However, we never actioned it and now have these bugs.

So one way to proceed would maybe be to some known opensuse security
person to security gnome org, then setup Bugzilla permissions as well.

I'm guessing we should also add Red Hat / Fedora. We had people showing
interest quite a while ago.

Note: security gnome org was mainly used (until libsrvg) to either rant
or ask random support questions. Any security person can ignore those,
it'll be handled by release team. People sometimes email maintainers
directly, sometimes we're a post office.

Anyone who's interested probably should be willing to improve anything
that's lacking.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]