On Fri, Oct 19, 2007 at 12:18:44PM +0200, Arkadiusz Miskiewicz wrote:
>
> I wonder why no new release is made when security bug is found?
You probably open a good topic. We have never talked about any
release policy. So, my point of view:
This is upstream, we are not doing support for end-users.
I don't see __real__ demand for release immediately after every
important bug. I prefer stable and well tested maintenance release
every 2-3 months (e.g. 2.13.1) and major release every 4-6 months
(e.g. 2.14).
Let's flame :-)
The patch for CVE-2007-5191 is available in stable branch and will be
included in the next stable maintenance release 2.13.1 with others
bug fixes.
Note, I think important bugs should be reported in this list together
with patches. Sorry for CVE-2007-5191 (it wasn't public in commit time,
...). The patch:
http://git.kernel.org/?p=utils/util-linux-ng/util-linux-ng.git;a=commit;h=ebbeb2c7ac1b00b6083905957837a271e80b187e
CVE-2007-5191 is not critical according to discussion in vendor-sec
mailing list.
Karel
--
Karel Zak <kzak@xxxxxxxxxx>
-
To unsubscribe from this list: send the line "unsubscribe util-linux-ng" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
