Moritz Muehlenhoff <[email protected]> wrote: > Package: tiff > Severity: grave > Tags: security > Justification: user security hole > > Please see: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3087 > > This patch should fix it: > http://bugzilla.maptools.org/show_bug.cgi?id=2140
Upstream rejected the patch in their bug 2140, and the patch's author said it was only a partial fix. The CVE references a bug in Novell's bugzilla, but even after creating an account, I don't have access to read the bug. So I'm really not sure what to do here. I could just blindly accept the patch, but then I'm permanently deviating from upstream. Should I discuss with upstream? I could grab Red Hat's latest SRPM and see how long they've been using this patch, or I could dig through upstream's CVS repository and see what the status is there. -- Jay Berkenbilt <[email protected]> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

