Hi, > > > > From my point of view at least items a), b) and d) deserve a CVE > > > > assignment due to the severity of the issues. Even if to my knowledge > > > > the code in question wasn't yet part of an official release yet it might > > > > help the community to identify risks in their systems. Please tell me > > > > whether you want to assign CVEs on your end or whether I should do this. > > > > > > I'm curious, would it be worthwhile to ask for CVE's? I'm also curious > > to know what's the target release for the fixes, so we can track these > > in the Arch Linux side :) > > it's in new unreleased yet code in git master... the point is to not have any > CVEs :)
it's a point of debate. Very strictly spoken every state of the code that was publicly available is entitled to CVE assignments. When thinking of widespread projects like the Linux kernel, for example, you can never know who was or who will be cherry-picking certain commits etc. without being aware that there's a problem. For distributions in this specific case there's no added value, except if they ship development snapshots of Enlightenment. I don't want to be all bureaucratic about it. I could also post the report to the oss-sec mailing list and refrain from getting CVEs assigned. This would also allow the OSS community to get some attention on these findings that others may be interested in. Cheers Matthias
signature.asc
Description: PGP signature
_______________________________________________ enlightenment-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
