I think the point Willy tried to make is that it should be handled the same way regardless of being a security patch or not. All fixes are important - so see them as "security" fixes for bugs if you like.
On 06/11/2019, 10.04, "apcoeproductnotificati...@wellsfargo.com" <apcoeproductnotificati...@wellsfargo.com> wrote: Hi Willy, Thanks for the info but honestly I am not focusing only on security fix, I need confirmation whether 2.0.8 is security patch or discretionary patch so that I can work on it accordingly on the basis of patch type. Regards, Anurag -----Original Message----- From: Willy Tarreau <w...@1wt.eu> Sent: Wednesday, November 6, 2019 2:15 PM To: APCoE Product Notifications <apcoeproductnotificati...@wellsfargo.com> Cc: xro...@gmail.com; haproxy@formilux.org; Na, Anurag <anurag...@wellsfargo.com> Subject: Re: Product Info On Wed, Nov 06, 2019 at 08:09:55AM +0000, apcoeproductnotificati...@wellsfargo.com wrote: > Hi Rob/Thomas, > Good day!! > > Thanks for the update, so as per the link the current patch is 2.0.8 > released on 23-10-2019, request you to please confirm whether this > patch is also a security patch and fixing any vulnerability (please > provide CVE if available) or not as it has one major bug fix in the release notes. Well, it was marked security since considered as such by the reporter eventhough it requires you to use a vulnerable server and to purposely write a bogus configuration, so my personal opinion on it is that it's very minor compared to all the issues we fix on a daily basis. In addition, please note that ALL FIXES ARE IMPORTANT and that if you're trying to only pick fixes explicitly marked as security, you'll end up with the most bogus load balancer on earth, and you'd rather not do this at all if you care for your site's availability. Focusing on CVEs only is part of what Linus Torvalds calls the "security circus" and I fully agree with him on that, considering how harmful most bugs can be for production and which are dropped by people focusing on CVE only and who instead pick irrelevant stuff because these have a "security" sticker. Also please have a look at this presentation by GregKH explaining the ridiculous situation we've reached with CVE nowadays: https://kernel-recipes.org/en/2019/talks/cves-are-dead-long-live-the-cve/ In short if you're wondering what patch to pick, you WILL eventually cause some disaster on your production that only YOU will be responsible for, by having deliberately rejected important fixes. You'd rather rely on up-to-date releases, either from sources if you build yourself, or from distro maintainers if you prefer to use pre-built packages. The project maintainers devote a lot of time maintaining stable branches containing only fixes precisely so that nobody has to duplicate this boring and dangerous job. Note that if you fear regressions, it's normal. Nobody likes to face them. In this case, just wait one week or even one month for others to deploy a new version before you do so, and you'll know if you're taking any risk. Everyone does this depending on the criticity. What is certain is that by not updating you're taking the risk to hit any of the hundreds of bugs that are known and fixed upstream. Willy