Hi Ola,
El 10/04/24 a las 22:08, Ola Lundqvist escribió:
> Hi all
>
> Sorry for late reply. It took me too long today to answer the CVE
> triaging discussion. Now to this issue.
>
> Regarding the fedora patches. The patches seem to help for those
> specific issues they solve.
>
> My intention
On Wed, Apr 10, 2024 at 10:08:51PM +0200, Ola Lundqvist wrote:
> Hi all
Hi Ola,
> Sorry for late reply. It took me too long today to answer the CVE
> triaging discussion. Now to this issue.
>
> Regarding the fedora patches. The patches seem to help for those
> specific issues they solve.
>
>
Hi again
I have started with a document that clarify the severity levels. I
also introduced the level "critial" but I'm not sure it adds any
value.
https://inguza.com/document/debian-security-severity-levels
This is just a first draft. It is not final. But comments are welcome.
// Ola
On Wed,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
- -
Debian LTS Advisory DLA-3786-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
April 10, 2024
Hi all
Sorry for late reply. It took me too long today to answer the CVE
triaging discussion. Now to this issue.
Regarding the fedora patches. The patches seem to help for those
specific issues they solve.
My intention for claiming the package was to go through the CVEs and
mark them with
Hi Raphael
You can see corrected statistics in a separate email.
Now to comment a few things below.
On Wed, 10 Apr 2024 at 10:49, Raphael Hertzog wrote:
>
> Hello,
>
> On Tue, 09 Apr 2024, Ola Lundqvist wrote:
> > Let me use some data from CVEs for last year 2023.
> > I used the following
Hi Chris and Raphael
Raphael, I'll comment on your things in a separate email. This is to
corre/check the statistics.
It could very well be a counting error. That is why I wrote how I did it.
To check a little I checked out the list from 1 st of january 2023.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Wed, 10 Apr 2024 20:46:20 +0300
Source: pillow
Architecture: source
Version: 5.4.1-2+deb10u6
Distribution: buster-security
Urgency: medium
Maintainer: Matthias Klose
Changed-By: Adrian Bunk
Changes:
pillow (5.4.1-2+deb10u6)
On Wed, Apr 10, 2024 at 12:17:33PM -0400, Roberto C. Sánchez wrote:
> On Mon, Apr 08, 2024 at 07:56:40PM +0300, Adrian Bunk wrote:
> > On Mon, Apr 08, 2024 at 05:34:47PM +0200, Moritz Muehlenhoff wrote:
> > >
> > > So a useful next step would be to break those reports down into separate
> > > bug
On Wed, Apr 10, 2024 at 08:08:07PM +0300, Adrian Bunk wrote:
>
> My point was that an opposite approach of doing only
> "file upstream bugs and wait for upstream to fix the CVEs"
> is unlikely to have a positive outcome in this case.
>
> Forwarding fixes upstream is of course desirable,
> even
On Mon, Apr 08, 2024 at 07:56:40PM +0300, Adrian Bunk wrote:
> On Mon, Apr 08, 2024 at 05:34:47PM +0200, Moritz Muehlenhoff wrote:
> >
> > So a useful next step would be to break those reports down into separate
> > bug reports and file them there so that upstream actually learns about
> > them.
Raphael Hertzog wrote:
> Those numbers are quite surprising. I hope there's some error somewhere
> otherwise I wonder what has been done in the 2400+ hours paid each year to
> work on LTS... I'm pretty sure we have fixed more than 58 CVE. The average
> month has 20 to 30 updates (see
>
Hello,
On Tue, 09 Apr 2024, Ola Lundqvist wrote:
> Let me use some data from CVEs for last year 2023.
> I used the following method to extract the data
> grep -B 5 '\[buster\]' list | grep -A 5 "^CVE-2023-" | grep '\[buster\]'
> and then grepped for the end-of-life, not-affected (and so on to
13 matches
Mail list logo