Bug#860068: Processed: Re: Bug#860068: tomcat8: CVE-2017-5647
Markus Koschany
apo at debian.org
Tue Apr 11 16:32:37 UTC 2017
Am 11.04.2017 um 17:44 schrieb Salvatore Bonaccorso:
[...]
>> I suggest to use the found/fixed tags as
>> needed.
>
> NB: Which is exactly what I did (see the different found versions), to
> track correctly the version as well in BTS. But now it would treat
> e.g. CVE-2017-5650 as well as found in 8.0.14-1 which is not true.
>
> Anyway, thanks a lot for taking care of those CVEs and fixing them!
>
> Regards,
> Salvatore
I appreciate that you already did an assessment which version is
affected or not. However I find it simpler to report all newly found
vulnerabilities with one bug report and then let the maintainer evaluate
the situation and act on the bug report as needed. Moritz does this a
lot when he reports CVEs. Your approach makes totally sense too but
since we have the security tracker with all those information, you have
already marked two CVEs as fixed in Jessie, it's not necessarily
imperative.
By the way we also have many CVEs with no Debian bug report and users
just have to rely on the security tracker for further information. In
fact we want them to use it and the bug reports are more a heads-up for
maintainers.
Of course this is just my stubborn opinion, it's not easy to please
everybody. Others will surely want that you report all those dozens of
CVEs for package X separately...
Regards,
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20170411/70663ea3/attachment.sig>
More information about the pkg-java-maintainers
mailing list