Bug#968606: vte: Racy NULL-ptr segfault in vte::terminal::update_repeat_timeout()

Moritz Mühlenhoff jmm at inutil.org
Thu Aug 20 22:42:42 BST 2020


On Tue, Aug 18, 2020 at 08:42:23PM +0100, Simon McVittie wrote:
> > 1) Can the Debian CNA assign a CVE number to this issue? It is technically a
> > vulnerability, and a CVE might convince the upstream developer towards more
> > collaborative attitude.
> 
> CVE IDs are a mechanism for tracking known security vulnerabilities
> so that sysadmins and users can know which packages need updating or
> avoiding. They are not a weapon to beat maintainers with; please don't
> treat them as that.

Exactly.

> (Procedurally, I don't think the Debian CNA is allowed to assign CVE
> numbers to vulnerabilities that are already known outside Debian.)

Indeed. (Plus the use of the Debian CNA has also shifted to only apply
to Debian-specific tooling (like dpkg/apt) or Debian-specific security
issues)

Cheers,
        Moritz



More information about the pkg-gnome-maintainers mailing list