Hi Brian,
On Tue, 26 Jan 2016, Brian May wrote:
Just wondered why imagemagick was marked in data/dla-needed.txt?
at least someone found these issues so remarkable that an entry in our CVE
list exists.
For the memory leaks and null pointer issues: Do we take the pessimestic
point of view and assume that they are security issues that need fixing,
or should we be conservative?
As long as the security team does not decide otherwise, I would be
pessimistic.
Suspect
exploiting this might be difficult.
Isn't the nature of exploits to be difficult?
Also, at what point do we decide that a CVE is needed for issues like
this?
We don't decide about CVEs, they are assigned by Mitre. We just do DLAs
whenever one is needed and this depends on the severity and/or the number
of issues ...
Thorsten
