subject:"Bug#860068\: Processed\: Re\: Bug#860068\: tomcat8\: CVE\-2017\-5647"

Bug#860068: Processed: Re: Bug#860068: tomcat8: CVE-2017-5647

2017-04-11 Thread Markus Koschany

Am 11.04.2017 um 17:44 schrieb Salvatore Bonaccorso:
[...]
>> I suggest to use the found/fixed tags as
>> needed.
> 
> NB: Which is exactly what I did (see the different found versions), to
> track correctly the version as well in BTS. But now it would treat
> e.g.  CVE-2017-5650 as well as found in 8.0.14-1 which is not true.
> 
> Anyway, thanks a lot for taking care of those CVEs and fixing them!
> 
> Regards,
> Salvatore

I appreciate that you already did an assessment which version is
affected or not. However I find it simpler to report all newly found
vulnerabilities with one bug report and then let the maintainer evaluate
the situation and act on the bug report as needed. Moritz does this a
lot when he reports CVEs. Your approach makes totally sense too but
since we have the security tracker with all those information, you have
already marked two CVEs as fixed in Jessie, it's not necessarily
imperative.

By the way we also have many CVEs with no Debian bug report and users
just have to rely on the security tracker for further information. In
fact we want them to use it and the bug reports are more a heads-up for
maintainers.

Of course this is just my stubborn opinion, it's not easy to please
everybody. Others will surely want that you report all those dozens of
CVEs for package X separately...

Regards,

Markus




signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#860068: Processed: Re: Bug#860068: tomcat8: CVE-2017-5647

2017-04-11 Thread Salvatore Bonaccorso

Hi,

On Tue, Apr 11, 2017 at 05:24:25PM +0200, Markus Koschany wrote:
> Am 11.04.2017 um 17:18 schrieb Salvatore Bonaccorso:
> > Hi Markus,
> > 
> > On Tue, Apr 11, 2017 at 02:18:14PM +, Debian Bug Tracking System wrote:
> >> Processing control commands:
> >>
> >>> merge 860068 860069 860070 860071
> >> Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647
> >> Bug #860069 [src:tomcat8] tomcat8: CVE-2017-5648
> >> Marked as found in versions tomcat8/8.5.11-1.
> >> Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647
> >> Marked as found in versions tomcat8/8.5.11-1.
> >> Bug #860071 [src:tomcat8] tomcat8: CVE-2017-5651
> >> Marked as found in versions tomcat8/8.0.14-1.
> >> Bug #860070 [src:tomcat8] tomcat8: CVE-2017-5650
> >> Marked as found in versions tomcat8/8.0.14-1.
> >> Merged 860068 860069 860070 860071
> > 
> > Why the merge? I was a exlicit choice to open 4 bugs due to the
> > different CVE's and different affected versions (note that two affect
> > 8.0.14-1 and two only 8.5.11-1 but not the version in jessie).
> 
> Hi,
> 
[...]
> I suggest to use the found/fixed tags as
> needed.

NB: Which is exactly what I did (see the different found versions), to
track correctly the version as well in BTS. But now it would treat
e.g.  CVE-2017-5650 as well as found in 8.0.14-1 which is not true.

Anyway, thanks a lot for taking care of those CVEs and fixing them!

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#860068: Processed: Re: Bug#860068: tomcat8: CVE-2017-5647

2017-04-11 Thread Markus Koschany

Am 11.04.2017 um 17:18 schrieb Salvatore Bonaccorso:
> Hi Markus,
> 
> On Tue, Apr 11, 2017 at 02:18:14PM +, Debian Bug Tracking System wrote:
>> Processing control commands:
>>
>>> merge 860068 860069 860070 860071
>> Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647
>> Bug #860069 [src:tomcat8] tomcat8: CVE-2017-5648
>> Marked as found in versions tomcat8/8.5.11-1.
>> Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647
>> Marked as found in versions tomcat8/8.5.11-1.
>> Bug #860071 [src:tomcat8] tomcat8: CVE-2017-5651
>> Marked as found in versions tomcat8/8.0.14-1.
>> Bug #860070 [src:tomcat8] tomcat8: CVE-2017-5650
>> Marked as found in versions tomcat8/8.0.14-1.
>> Merged 860068 860069 860070 860071
> 
> Why the merge? I was a exlicit choice to open 4 bugs due to the
> different CVE's and different affected versions (note that two affect
> 8.0.14-1 and two only 8.5.11-1 but not the version in jessie).

Hi,

please combine CVEs for (Java) packages because single bug reports just
create more noise on the list and in the end we make one upload to
address all of them together. I suggest to use the found/fixed tags as
needed.

Regards,

Markus




signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#860068: Processed: Re: Bug#860068: tomcat8: CVE-2017-5647

Bug#860068: Processed: Re: Bug#860068: tomcat8: CVE-2017-5647

Bug#860068: Processed: Re: Bug#860068: tomcat8: CVE-2017-5647

3 matches

Site Navigation

Mail list logo

Footer information