Hi Raphael See below.
On 25 November 2016 at 14:39, Raphael Hertzog <[email protected]> wrote: > > On Fri, 25 Nov 2016, Ola Lundqvist wrote: > > I did not want to tag then no-dsa (without further analysis) due to the > > following: > > And you expected that further analysis to be done by whoever would pick > the package? Yes that or myself when I got some more time this week. > In that case, you could have left a comment along the lines > of "security team tagged the issues as no-dsa, I'm not 100% sure we should > do the same in wheezy, please review the CVE and feel free to tag them > no-dsa as well if you agree with the security team's assessment". Good point. I'll add that next time. This time I'll just make them no-dsa as you seem to have assessed them better than I do. > > > 1) Our recent discussion regarding heap overflow (causing arbitrary code > > execuition) not being protected by the compiler. > > It's hard to assess this one. But here we need HTML input and I expect it > to be harder to inject birary data hosting code that we would like to > execute. That is a point. But are you sure it needs to be HTML? It can not be just binary data over http? However I think binary data is quite easy to inject. On the other hand I had not checked this in details. > > 2) Stable security use no-dsa to mark that they are not immediately fixed > > but could be fixed in a point release. Oldstable security do not have a > > point release so therefore we should not use no-dsa as frequently. > > Right, but they tend to write "Minor issue, can be fixed in a point > release" for the latter, this is not the case here. I see. I was under the impression that this ", can be fixed in a point relese" text is often forgotten. I'm probably wrong there. > > However if you think they are minor enough I'll happily mark them no-dsa as > > well. > > Please do. Ok will do so. // Ola > > Cheers, > -- > Raphaël Hertzog ◈ Debian Developer > > Support Debian LTS: http://www.freexian.com/services/debian-lts.html > Learn to master Debian: http://debian-handbook.info/get/ -- --- Inguza Technology AB --- MSc in Information Technology ---- / [email protected] Folkebogatan 26 \ | [email protected] 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
