Sorry for the horribly delayed response. I've been away on holiday. > > Actually I downloaded the libpng src.rpm with yumdownloader --source > libpng and took a look into it, it contains the spec, the upstream > tarball and two patches: > > libpng-1.2.10-multilib.patch > libpng-1.2.10-pngconf.patch > All known libpng CVE ids are tracked via the following files: http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/?root=fedora If there are any CVE ids we're missing please let us know. There are a number of CVE ids that are simply client crashes. We do not consider client side crashes security issues, they are bugs. Some of them get CVE ids. This is something MITRE is currently working on a policy for. Right now they have a blanket policy of assigning a CVE id to anything anyone calls a security flaw. It's then our job to weed through them and find the relevant ones. > > > If you have concerns regarding a specific issue, feel free to bring that > > up, but bug 211705 in no way represents a security flaw. > > But if the mentioned issues are no security flaws please document it in=20 > bugzilla, so it does not seem to be ignored. > I've updated that bug with a statement regarding those CVE ids. The two mentioned in the bug are client crashes, thus are just bugs. Thanks. -- JB -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
