Bug#995785: Various vulnerabilities in mapserver
Sebastiaan Couwenberg
sebastic at xs4all.nl
Tue Oct 5 19:38:42 BST 2021
On 10/5/21 8:05 PM, Max Kellermann wrote:
> On 2021/10/05 19:15, Sebastiaan Couwenberg <sebastic at xs4all.nl> wrote:
>> tags 995785 upstream
>> forwarded 995785 https://github.com/MapServer/MapServer/pull/6418
>>
>> You should get CVEs for these security issues, then they will be tracked
>> more appropriately than with this bugreport.
>
> Huh, what a strange justification to close a bug report about security
> vulnerabilities.
>
> I'm not interested in tracking this issue - it's already tracked
> upstream, and my PR has already been approved. I wanted to help the
> Debian project to ship a vulnerabiity fix in its version-frozen stable
> releases. A regular new upstream release will not land in Bullseye,
> and without me telling you, it is unlikely that Debian users will ever
> receive those fixes.
>
> The last time I fixed vulnerabilities in MapServer (May 4th), the
> fixes didn't land in Debian either. Debian Bullseye shipped with a
> vulnerable MapServer version. MapServer 7.6.4 was released on July
> 12th with my vulnerability fixes, but Debian Bullseye was released a
> month later with the known-vulnerable version 7.6.2.
Security issues in packages are tracked via CVEs in:
https://security-tracker.debian.org/tracker/
Only high severity issues are worth our time to fix in stable. If you
don't follow proper procedure and get CVEs for your security issues,
they won't get any severity assigned and hence won't get fixed in stable.
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
More information about the Pkg-grass-devel
mailing list