On Fri, 25 Nov 2016, Ola Lundqvist wrote: > I did not want to tag then no-dsa (without further analysis) due to the > following:
And you expected that further analysis to be done by whoever would pick the package? In that case, you could have left a comment along the lines of "security team tagged the issues as no-dsa, I'm not 100% sure we should do the same in wheezy, please review the CVE and feel free to tag them no-dsa as well if you agree with the security team's assessment". > 1) Our recent discussion regarding heap overflow (causing arbitrary code > execuition) not being protected by the compiler. It's hard to assess this one. But here we need HTML input and I expect it to be harder to inject birary data hosting code that we would like to execute. > 2) Stable security use no-dsa to mark that they are not immediately fixed > but could be fixed in a point release. Oldstable security do not have a > point release so therefore we should not use no-dsa as frequently. Right, but they tend to write "Minor issue, can be fixed in a point release" for the latter, this is not the case here. > However if you think they are minor enough I'll happily mark them no-dsa as > well. Please do. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
