On Mon, Nov 02, 2020 at 06:09:18PM +0100, Björn Persson wrote: > Miroslav Lichvar wrote: > > The main problem is that they don't fix all known security issues. In > > the CVE list I see about 10 issues that were not fixed at all or only > > partially, some exploitable in default configuration. > > That sounds bad. Where is that list? In Red Hat Bugzilla I see only two. There is no official list. You would need to inspect the code to see what have been actually fixed. For some CVEs they only provided mitigations and in some cases the fixes were wrong or incomplete. You can look for my comments in the upstream bugzilla. The list of 10 issues that I think are not (fully) fixed yet follows. Probably not complete or completely accurate, but if you need details about a specific issue, I can check the code. CVE-2013-5211 CVE-2015-7705 CVE-2015-7974 CVE-2015-7979 CVE-2015-8139 CVE-2016-1548 CVE-2016-4955 CVE-2016-7426 CVE-2018-7170 CVE-2020-13817 -- Miroslav Lichvar _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
