On Mon, 14 Jan 2019 13:35:10 +0000, you wrote: >Is there any specific requirement to change packages in response to >CVEs, specifically if they appear to be bogus? I can't find anything >specifying that. > >I ask because three CVEs have triggered automated bug reports against >libxsmm <https://apps.fedoraproject.org/packages/libxsmm/bugs>. I don't >understand why the CVEs were issued, since a problem with unrealistic >input to a (rather rarely used) development tool doesn't strike me as a >security problem. > >On that basis I didn't bother including the upstream patch with the >latest version, and I'm inclined to close the issues as wontfix. Would >that be appropriate? I'm confused, if upstream has fixed the issue why wouldn't you apply the fix? _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
