Hi
I was not aware of the ELTS customer need here.
Then we go for alternative 3. Good. Thank you.
I guess ELTS will do the development part of this.
I'll add this information to dla-needed.
// Ola
On Fri, 12 Apr 2024 at 10:25, Raphael Hertzog wrote:
>
> Hello Ola,
>
> On Fri, 12 Apr 2024,
Hello Ola,
On Fri, 12 Apr 2024, Ola Lundqvist wrote:
> I see three:
> 1) copy secteam decision and move on to the next package (I guess
> remove from dla-needed)
> 2) copy secteam decision for most of them, but fix the ones with fedora
> patches
> 3) dive in and start developing (that will take
Hi Roberto
See below.
On Fri, 12 Apr 2024 at 00:51, Roberto C. Sánchez wrote:
>
> Hi Ola,
>
> On Thu, Apr 11, 2024 at 11:11:15PM +0200, Ola Lundqvist wrote:
> >
> > What I typically do is to read the description, and the referenced
> > material to see if the reporter seems to make sense. If
Hi Ola,
On Thu, Apr 11, 2024 at 11:11:15PM +0200, Ola Lundqvist wrote:
>
> What I typically do is to read the description, and the referenced
> material to see if the reporter seems to make sense. If there is a fix
> available read the fix. The fix typically give a lot of information.
> In this
Hi Adrian
See below.
On Thu, 11 Apr 2024 at 22:46, Adrian Bunk wrote:
>
> On Thu, Apr 11, 2024 at 09:34:00PM +0200, Ola Lundqvist wrote:
> >...
> > On Thu, 11 Apr 2024 at 15:34, Santiago Ruano Rincón
> > wrote:
> > ...
> > > Taking one of the recent changes to data/CVE/list:
> > >
> > > @@
On Thu, Apr 11, 2024 at 09:34:00PM +0200, Ola Lundqvist wrote:
>...
> On Thu, 11 Apr 2024 at 15:34, Santiago Ruano Rincón
> wrote:
> ...
> > Taking one of the recent changes to data/CVE/list:
> >
> > @@ -6999,6 +7000,7 @@ CVE-2024-28579 (Buffer Overflow vulnerability in open
> > source FreeImage
Hi Adrian
On Thu, 11 Apr 2024 at 17:18, Adrian Bunk wrote:
...
> > + [buster] - freeimage (Revisit when fixed upstream, low
> > severity DoS in tool)
> > NOTE:
> > https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909
> >
> > Are you completely sure the related
Hi Santiago
Cutting down the commented part since it is rather long.
On Thu, 11 Apr 2024 at 15:34, Santiago Ruano Rincón
wrote:
...
>
> The fact of claiming a package to avoid double-work is not the problem I
> see. What brought my attention was the way you said you were working on
> freeimage.
On Thu, Apr 11, 2024 at 10:34:13AM -0300, Santiago Ruano Rincón wrote:
>...
> El 11/04/24 a las 08:25, Ola Lundqvist escribió:
>...
> > The ones I have now postponed are of the "local DoS" class. I'm here
> > interpreting that "local DoS" is the same as DoS after human
> > interaction. It is not
Hi Ola,
El 11/04/24 a las 08:25, Ola Lundqvist escribió:
> On Thu, 11 Apr 2024 at 02:34, Santiago Ruano Rincón
> > El 10/04/24 a las 22:08, Ola Lundqvist escribió:
> > > Hi all
> > >
> > > Sorry for late reply. It took me too long today to answer the CVE
> > > triaging discussion. Now to this
Hi Santiago
See below.
On Thu, 11 Apr 2024 at 02:34, Santiago Ruano Rincón
wrote:
>
> Hi Ola,
>
> El 10/04/24 a las 22:08, Ola Lundqvist escribió:
> > Hi all
> >
> > Sorry for late reply. It took me too long today to answer the CVE
> > triaging discussion. Now to this issue.
> >
> > Regarding
Hi Ola,
El 10/04/24 a las 22:08, Ola Lundqvist escribió:
> Hi all
>
> Sorry for late reply. It took me too long today to answer the CVE
> triaging discussion. Now to this issue.
>
> Regarding the fedora patches. The patches seem to help for those
> specific issues they solve.
>
> My intention
On Wed, Apr 10, 2024 at 10:08:51PM +0200, Ola Lundqvist wrote:
> Hi all
Hi Ola,
> Sorry for late reply. It took me too long today to answer the CVE
> triaging discussion. Now to this issue.
>
> Regarding the fedora patches. The patches seem to help for those
> specific issues they solve.
>
>
Hi all
Sorry for late reply. It took me too long today to answer the CVE
triaging discussion. Now to this issue.
Regarding the fedora patches. The patches seem to help for those
specific issues they solve.
My intention for claiming the package was to go through the CVEs and
mark them with
On Wed, Apr 10, 2024 at 12:17:33PM -0400, Roberto C. Sánchez wrote:
> On Mon, Apr 08, 2024 at 07:56:40PM +0300, Adrian Bunk wrote:
> > On Mon, Apr 08, 2024 at 05:34:47PM +0200, Moritz Muehlenhoff wrote:
> > >
> > > So a useful next step would be to break those reports down into separate
> > > bug
On Wed, Apr 10, 2024 at 08:08:07PM +0300, Adrian Bunk wrote:
>
> My point was that an opposite approach of doing only
> "file upstream bugs and wait for upstream to fix the CVEs"
> is unlikely to have a positive outcome in this case.
>
> Forwarding fixes upstream is of course desirable,
> even
On Mon, Apr 08, 2024 at 07:56:40PM +0300, Adrian Bunk wrote:
> On Mon, Apr 08, 2024 at 05:34:47PM +0200, Moritz Muehlenhoff wrote:
> >
> > So a useful next step would be to break those reports down into separate
> > bug reports and file them there so that upstream actually learns about
> > them.
Hi (especially Ola),
El 08/04/24 a las 13:59, Sylvain Beucler escribió:
> Hi,
>
> I think this requires a bit of coordination:
> - the package is basically dead upstream, there hasn't been a fix in the
> official repos, neither Debian or other distros attempted to fix them
The only "exception"
On Mon, Apr 08, 2024 at 05:34:47PM +0200, Moritz Muehlenhoff wrote:
> On Mon, Apr 08, 2024 at 01:59:55PM +0200, Sylvain Beucler wrote:
> > Hi,
> >
> > I think this requires a bit of coordination:
> > - the package is basically dead upstream, there hasn't been a fix in the
> > official repos,
On Mon, Apr 08, 2024 at 01:59:55PM +0200, Sylvain Beucler wrote:
> Hi,
>
> I think this requires a bit of coordination:
> - the package is basically dead upstream, there hasn't been a fix in the
> official repos, neither Debian or other distros attempted to fix them
Some of the past fixes got
On Mon, Apr 08, 2024 at 12:06:25AM +0200, Ola Lundqvist wrote:
> Hi again
>
> Today I looked at the freeimage package that we have in dla-needed.
> My conclusion is that we have 19 CVEs postponed with motivation "revisit
> when fixed upstream" and 23 CVEs that are in bullseye declared as no-dsa
>
Hi,
I think this requires a bit of coordination:
- the package is basically dead upstream, there hasn't been a fix in the
official repos, neither Debian or other distros attempted to fix them
- we do have a sponsor for LTS and ELTS/stretch, so we're paid to take
care of this package
- secteam
Hi again
Today I looked at the freeimage package that we have in dla-needed.
My conclusion is that we have 19 CVEs postponed with motivation "revisit
when fixed upstream" and 23 CVEs that are in bullseye declared as no-dsa
with the same motivation.
Since we have this postpone decision for the 19
23 matches
Mail list logo