Hi I was about to remove runc from dla-needed but since Adrian sent out a question email about the removal I thought one more time. (I'm trying to learn from my mistakes) :-)
I'm getting a little confused about the notes about runc in dla-needed. It says Complete fix for CVE-2024-21626 would require backport of ... But CVE-2024-21626 looks like it is already fixed by DLA-3735-1. If one look at the status information in the data/CVE/list it looks like it is completely corrected. But from the dla-needed note it looks like it is not. What is it? Is it a sufficient fix? Should we issue a new CVE for the remaining part? Should it be fixed? Should that remaining part be ignored? My assumption is the following: The CVE is not completely fixed but fixing the rest is not worth doing. With that assumption I'm now removing the entry from dla-needed. Please let me if this is not correct. I have moved the note from dla-needed to the CVE itself. Cheers // Ola -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
