On Thu, 2015-03-12 at 07:35 +0000, Sona Sarmadi wrote: > Hi Alex, > > > > Yes I agree with you but this is already a public CVE. Maybe in the > future we will/should just discuss security related issues in the > yocto-secur...@yoctoproject.org mailing list, but right now we don’t > have many members so I copy to the yocto@yoctoproject.org list as > well. > I think this list is not published in the yocto lists page:
https://www.yoctoproject.org/tools-resources/community/mailing-lists And, who would be able to subscribe to it? invite-only? public? > > > My intention is to make the list aware of security > vulnerabilities/CVEs which keep coming all the time. I encourage > everyone to do this. We will soon or later create a bug in Bugzilla if > needed or just backport the CVE to our version or upgrade the recipes > in the affected package to the version which is not vulnerable. > > > > //Sona > > > > From: Alexandru Vaduva [mailto:vaduvajanalexan...@yahoo.com] > Sent: den 12 mars 2015 00:28 > To: Sona Sarmadi; yocto-secur...@yoctoproject.org > Cc: yocto@yoctoproject.org > Subject: Re: [yocto] bind: issue in trust anchor management can cause > named to crash (CVE-2015-1349) > > > > > Wouldn`t it be better for the bugs to be only mentioned on the > security list? > > > It is my opinion that know about a risk before it is fixed could cause > more harm then good. > > > What do you thing about this? > > > > > > > > > Alex Vaduva > > -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
