Hi all Sorry for late reply. It took me too long today to answer the CVE triaging discussion. Now to this issue.
Regarding the fedora patches. The patches seem to help for those specific issues they solve. My intention for claiming the package was to go through the CVEs and mark them with postponed or similar. When I'm done with that maybe I will start to fix things, but I claimed it just to avoid double work when going through the issues. I'll start with that now and I hope I can release the package when I'm done with that. I'll re-claim it when/if I think they are worth fixing. What is clear after checking all reverse dependencies is that all software packages using freeimage library are of the "tool" type. You run it with human interaction and the user using the tool should know the input. This reduces the severity of the problems. Cheers // Ola On Wed, 10 Apr 2024 at 19:23, Roberto C. Sánchez <robe...@debian.org> wrote: > > On Wed, Apr 10, 2024 at 08:08:07PM +0300, Adrian Bunk wrote: > > > > My point was that an opposite approach of doing only > > "file upstream bugs and wait for upstream to fix the CVEs" > > is unlikely to have a positive outcome in this case. > > > > Forwarding fixes upstream is of course desirable, > > even when upstream is dead. > > > Ah, thanks for the clarification. > > Regards, > > -Roberto > > -- > Roberto C. Sánchez > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
