Moritz Muehlenhoff <[email protected]> wrote:

> Package: tiff
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Please see:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3087
>
> This patch should fix it:
> http://bugzilla.maptools.org/show_bug.cgi?id=2140

Upstream rejected the patch in their bug 2140, and the patch's author
said it was only a partial fix.  The CVE references a bug in Novell's
bugzilla, but even after creating an account, I don't have access to
read the bug.  So I'm really not sure what to do here.  I could just
blindly accept the patch, but then I'm permanently deviating from
upstream.  Should I discuss with upstream?  I could grab Red Hat's
latest SRPM and see how long they've been using this patch, or I could
dig through upstream's CVS repository and see what the status is there.

-- 
Jay Berkenbilt <[email protected]>



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to