Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-3581, CVE-2006-3582: Multiple stack/heap overflow vulnerabilities in adplug https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198108 ------- Additional Comments From ville.skytta@xxxxxx 2006-07-28 12:17 EST ------- (In reply to comment #4) > Yeah, sorry I know, in this case I happened to maintain all affected packages Yes, but only in FE. 3rd party repositories and local packages which use the libs are affected too. > However, a first timer the question arise: how do I properly retire an .so > file with security vulnerabilities? (Cannot find a good idea in any > guidelines.) If doable and feasible, backporting only the security fixes and avoiding the soname change would be one way of handling it smoothly. An incompatible upgrade policy and instructions are slowly in the works, but so far there is no consensus except that the very least one should do is to send a mail to fedora-maintainers, notifying about the issue, beforehand if at all possible so others (including non-FC/FE packagers) can prepare. Here's one example which IMO is being handled well. https://www.redhat.com/archives/fedora-maintainers/2006-July/msg00397.html https://www.redhat.com/archives/fedora-maintainers/2006-July/msg00398.html -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
