On 07.07.2016 10:36, Santiago Ruano Rincón wrote: > El 06/07/16 a las 18:43, Bálint Réczey escribió: >> Hi, >> >> 2016-07-06 18:22 GMT+02:00 Holger Levsen <hol...@layer-acht.org>: >>> On Wed, Jul 06, 2016 at 05:57:43PM +0200, Markus Koschany wrote: >>>> In this specific case I wouldn't do it because of the reasons I have >>>> mentioned before but more input from others is welcome. If we decide to >>>> fix these issues we also need to take care of valgrind, nescc, >>>> libiberty, ht, gdb, gcc-h8300-hms and binutils-h8300-hms. Otherwise it >>>> would be rather inconsistent. >>> >>> I disagree. Perfect is the enemy of good. We have inconsistances in many >>> places too. >>> >>> Brians work was useful and should not be lost. It's good to close >>> "minor" security holes. >> >> I agree. Sometimes exploiting a combination of "minor" issues can be >> combined to allow more severe attacks. If the fixes are safe, I think they >> should be released. > > Hi, > > After talking with Salvatore and Guido, we plan to discuss about the > no-dsa meaning for oldstable during BoF tomorrow. One of the reasons > for tagging no-dsa minor issues is to handle them via point-releases. > Since we don't have this in LTS, "minor" issues like those in binutils > and co, should be handled/fixed earlier in oldstable. > > So, if we have safe fixes, there is no reason to don't release them. > Of course, everything is issue-specific.
I completely agree with the general statements made in this thread so far. However my main concern was and still is that that I can't imagine a real life scenario where those CVEs pose any security risk for production systems. In case of CVE-2016-6131 I doubt that this even qualifies as a security issue. So in my opinion these are just normal bugs and I was inclined to mark them as such. Perhaps "unimportant" (from a security point of view) would be a better term than "no-dsa" in this case. I'm well aware that the security team tags those issues to handle them via point releases, although I sometimes disagree with their decisions like for instance marking CVE-2015-3245 and CVE-2015-3246 as no-dsa although they are both clearly security issues and exploitable by any user with libuser installed on the system. I think in this case it would be better to increase the visibility of this fact by announcing a DSA. Moritz' idea of releasing fixes as bundles via some sort of point release is worth considering although I think we can be much more flexible similar to the default-java switch when I uploaded 14 packages at one day. [1] Regards, Markus [1] https://lists.debian.org/debian-lts-announce/2016/05/msg00007.html
signature.asc
Description: OpenPGP digital signature
