On Tuesday, 11 February 2020 at 17:53, Michael Catanzaro wrote: > On Tue, Feb 11, 2020 at 10:00 am, Dominik 'Rathann' Mierzejewski > <dominik@xxxxxxxxxxxxxx> wrote: > > It means that the fixes are available and can be applied to Fedora > > package if necessary. I'm still waiting for someone to point out a > > specific *unfixed* *critical* vulnerability that some of the folks > > posting in this thread mentioned. Otherwise, I see no reason to prevent > > me or anyone else from keeping gstreamer 0.10 packages alive in Fedora. > > CVE-2019-9928, buffer overflow in RTSP parsing This one is not critical. It's rated "Moderate" by Red Hat. It's also fixed in Ubuntu and SUSE (rated High and Important, respectively). > Yeah it would be a one-line patch to fix that, but that's not the > point. Point is the vast majority of security issues never get CVEs > and we rely on regular updates to the latest upstream version to avoid > those. Point taken, but it doesn't justify blocking the package from distribution just because you don't know what security vulnerabilities it has. You could say that about any number of other packages in Fedora. Regards, Dominik -- Fedora https://getfedora.org | RPM Fusion http://rpmfusion.org There should be a science of discontent. People need hard times and oppression to develop psychic muscles. -- from "Collected Sayings of Muad'Dib" by the Princess Irulan _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
