Am 11.04.2017 um 17:44 schrieb Salvatore Bonaccorso:
>> I suggest to use the found/fixed tags as
>> needed.
> NB: Which is exactly what I did (see the different found versions), to
> track correctly the version as well in BTS. But now it would treat
> e.g.  CVE-2017-5650 as well as found in 8.0.14-1 which is not true.
> Anyway, thanks a lot for taking care of those CVEs and fixing them!
> Regards,
> Salvatore

I appreciate that you already did an assessment which version is
affected or not. However I find it simpler to report all newly found
vulnerabilities with one bug report and then let the maintainer evaluate
the situation and act on the bug report as needed. Moritz does this a
lot when he reports CVEs. Your approach makes totally sense too but
since we have the security tracker with all those information, you have
already marked two CVEs as fixed in Jessie, it's not necessarily

By the way we also have many CVEs with no Debian bug report and users
just have to rely on the security tracker for further information. In
fact we want them to use it and the bug reports are more a heads-up for

Of course this is just my stubborn opinion, it's not easy to please
everybody. Others will surely want that you report all those dozens of
CVEs for package X separately...



Attachment: signature.asc
Description: OpenPGP digital signature

This is the maintainer address of Debian's Java team
Please use for discussions and questions.

Reply via email to