Am Dienstag 25 März 2025 15:11:07 schrieb Bernhard Reiter via Gnupg-users: > omeone assigned a low/medium CVE number for this vulnerability:
To clarify, I wrote While by common definitions, this defect is a software vulnerability, the low CVSSv3 (2.7 by Redhat) shows that it is not something which needs a quick fix. Even a CVE number is not really helpful. The reasons are: * if defects like this get CVE numbers, then many regular improvements in software development would need to get one. Which is too many to be useful. The significant vulnerabilities that must be fixed quickly would be drowned within regular _fixes_. * the term _vulnerability_ sometimes triggers the need for a patch or a fast fix - out of the regular schedule. Those fixes come with their own risks because of the accelerated development. As we have a low severity thing here, a quick fix is potentially less secure than a regular maintenance release. In that sense we do not have a _vulnerability_ - as we do not need a quick fix and it is more like a regular defect for which there are many. to https://forum.gnupg.org/t/any-new-gpg4win-update-beyond-version-4-4-0-planned/6402/7?u=bernhard Bernhard
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
