Hi Chris, Utkarsh, all In this particular case Salvatore have told that the CVE needs to be assigned by Apache CNA. We should ask them about it I guess.
When I added it to dla-needed it looked severe enough to warrant a fix. Let me know if you have any other opinion. If we see delays in response regarding the CVE assignment I think we can release a fix with just the bug reference, not to delay things unnecessarily. But I do not think a few days is an issue, so try to get the CVE first. Hope this helps. Best regards // Ola On Sun, 10 May 2020 at 00:58, Chris Lamb <[email protected]> wrote: > Hi Utkarsh et al., > > > Unless there's a CVE assigned for this, should I really be fixing it > > and announcing the update? > > This might be conflating cause and effect. Let me ask a question in > return - did you consider applying for a CVE? If we cannot justify > applying for one on grounds of severity then by that very fact it > won't be worth fixing in Jessie LTS. > > (Getting a CVE is somewhat easier than you think and my the first CVE > I was assigned was actually a nice little badge of honour.) > > > Regards, > > -- > ,''`. > : :' : Chris Lamb > `. `'` [email protected] 🍥 chris-lamb.co.uk > `- > > -- --- Inguza Technology AB --- MSc in Information Technology ---- | [email protected] [email protected] | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
