* Moritz Muehlenhoff: > I don't think this is needed. We can turn cases like these into > REJECTED entries through our Mitre contact. Florian, did you find > many cases like this?
See my message to Joey. I mainly want to do this to have a clean resolution for each CVE entry (explicit package list, or a reason why there isn't one). > Besides, I think the main issue in this specific case is that it's not a > vulnerability. So simply add it to not-affected as well and consider it an > issue only for distributions that ship mcedit suid (i.e. none). I think such bugs, if reproducible, are still security issues. Maybe nobody uses mcedit as a pager or from mutt, but users have a reasonable expectation that opening a file in an ordinary text editor does not automatically execute code contained in that file. _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
