(redirecting replies to the vte2.91 bug, this doesn't seem like something that we need to bother the release team with)
On Sat, 17 Jun 2023 at 21:06:07 +0200, Salvatore Bonaccorso wrote: > On Sat, Jun 17, 2023 at 03:22:21PM +0100, Simon McVittie wrote: > > I asked the security team whether they wanted to do a DSA for > > this and haven't heard back, so I'm assuming the answer is no. > > Aplogies, we have missed to reply to your question in #1037919. Te > point release approach looks indeed fine. > > FWIW, do you know if upstream has requested a CVE for it? I am not aware of any attempt to request a CVE. It's not clear to me whether upstream consider it to be a denial-of-service security issue, or an ordinary non-security bug (and I'm not really sure myself, tbh): the discussion on the upstream bug says In this issue here there is no buffer overflow or vulnerability, just an indefinite hang (maybe classified as potential DoS). While this is a bit bad, it's a 5 year old bug and this the first report of it, so I don't think it's too grave. Please see https://gitlab.gnome.org/GNOME/vte/-/issues/2631 for any other details or coordination that might be needed. smcv