Re: responding to CVEs

2019-01-16 Thread Andrew Haley
On 1/14/19 4:08 PM, Kevin Kofler wrote: > Dave Love wrote: >> I ask because three CVEs have triggered automated bug reports against >> libxsmm . I don't >> understand why the CVEs were issued, since a problem with unrealistic >> input to a

Re: responding to CVEs

2019-01-14 Thread Huzaifa Sidhpurwala
On 01/14/2019 09:38 PM, Kevin Kofler wrote: > Dave Love wrote: >> I ask because three CVEs have triggered automated bug reports against >> libxsmm . I don't >> understand why the CVEs were issued, since a problem with unrealistic >> input to a

Re: responding to CVEs

2019-01-14 Thread John Harris
On Monday, January 14, 2019 8:35:10 AM EST Dave Love wrote: > On that basis I didn't bother including the upstream patch with the > latest version, and I'm inclined to close the issues as wontfix. If these vulnerabilities are already fixed, surely it's best to just apply the patch that fixes it

Re: responding to CVEs

2019-01-14 Thread Björn Persson
Dave Love wrote: > I don't > understand why the CVEs were issued, since a problem with unrealistic > input to a (rather rarely used) development tool doesn't strike me as a > security problem. Your "surely nobody would do that" attitude is one of the major causes why security holes are so

Re: responding to CVEs

2019-01-14 Thread Kevin Kofler
Dave Love wrote: > I ask because three CVEs have triggered automated bug reports against > libxsmm . I don't > understand why the CVEs were issued, since a problem with unrealistic > input to a (rather rarely used) development tool doesn't

Re: responding to CVEs

2019-01-14 Thread Gerald Henriksen
On Mon, 14 Jan 2019 13:35:10 +, you wrote: >Is there any specific requirement to change packages in response to >CVEs, specifically if they appear to be bogus? I can't find anything >specifying that. > >I ask because three CVEs have triggered automated bug reports against >libxsmm

Re: responding to CVEs

2019-01-14 Thread mcatanzaro
On Mon, Jan 14, 2019 at 7:35 AM, Dave Love wrote: I ask because three CVEs have triggered automated bug reports against libxsmm . I don't understand why the CVEs were issued, since a problem with unrealistic input to a (rather rarely

Re: responding to CVEs

2019-01-14 Thread Zbigniew Jędrzejewski-Szmek
On Mon, Jan 14, 2019 at 01:35:10PM +, Dave Love wrote: > Is there any specific requirement to change packages in response to > CVEs, specifically if they appear to be bogus? I can't find anything > specifying that. > > I ask because three CVEs have triggered automated bug reports against >

responding to CVEs

2019-01-14 Thread Dave Love
Is there any specific requirement to change packages in response to CVEs, specifically if they appear to be bogus? I can't find anything specifying that. I ask because three CVEs have triggered automated bug reports against libxsmm . I don't