On Wed, 27 Jan 2016, Thorsten Alteholz wrote: > On Tue, 26 Jan 2016, Brian May wrote: > >Just wondered why imagemagick was marked in data/dla-needed.txt? > > at least someone found these issues so remarkable that an entry in our CVE > list exists.
This is not a proper answer. Not all CVE get fixed, and even more so TEMP-* entries. You did your own analysis when you added them to dla-needed.txt. > >Also, at what point do we decide that a CVE is needed for issues like > >this? > > We don't decide about CVEs, they are assigned by Mitre. We just do DLAs > whenever one is needed and this depends on the severity and/or the number of > issues ... For a TEMP-* issues like we have here, we are entitled to request a CVE by posting to the oss-security list and requesting a CVE to be assigned. So the question is legitimate. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
