On Sun, Nov 01, 2020 at 04:58:41PM +0100, Daniel Leidert wrote: > Am Sonntag, den 01.11.2020, 14:14 +0100 schrieb Ole Streicher: > > > I just stumbled upon the following web page: > > > > https://cyber-itl.org/2020/10/28/citl-7000-defects.html > > The list misses the package version. IMHO this is rather vital information. > They also used Ubuntu 18.04 which is more then two years old. > > Also I find it weird that they expect every package maintainer to contact them > and proof their association. If they detected a bug or even a vulnerability it > affects the upstream project as well as every downstream packager. > > Maybe our DPL or the TC or security team can get their hands on the full data.
No, this must not be done. Why are people here so eager to look at raw fuzzer output from some random third party, when at the same time there is a huge lack of manpower for handling the many bugs in our BTS reported by our users? It is not our duty to debug security vulnerabilities in upstream software some random company found by running a fuzzer and advertised with bold claims, a company that did not even bother to submit proper bug reports. We should not fail for this bait, and any positive statement or request towards this company would only reward such bad practices. It is our duty to take care of the problems reported to us by our users. If anyone in this discussion has spare time, please spend it on the issues that have been properly reported to us instead. > Regards, Daniel cu Adrian
