Hello, The recent CVE-2021-44832 has been subject to quite some debate whether it was CVE-worthy or not. I think that one had far fetched assumptions and could very well be addressed in a patch release, just like we did, but without a CVE associated with it. The created CVE caused yet another wave of FUD surrounding the project. I can imagine millions of deployments all around the world were marked as flagged by monitoring tools and people rushed to upgrade in panic, most likely, for no reason. I put aside the damage CVEs cause on the reputation of the project.
I am told by [email protected] that what is CVE-worthy is up to the PMC. *I propose creating a VOTE thread for the CVE creation from now on.* I would appreciate it if others can share their thoughts on this. If the overall reception is positive, I will send a VOTE email to make this official. Kind regards.
