I think this would go a long way of fixing CVEs in widely-used packages quickly. IMO, we’d ideally pay someone several hours a week to do this work (from donations). Finally, continuously triaging CVEs is relatively boring and repetitive work. The reason is the same as why some PRs do not get reviewed quickly: there are too few people triaging them and making backport PRs.Īlso, a lot of packages have maintainers that are inactive and do not take the responsibility to track CVEs and backport fixes. Sometimes some CVEs do not get patched quickly. If it is a maintained release (such as currently NixOS 20.09), every CVE should ideally be patched. Is there some kind of “policy/guideline” to decide which CVE’s should be patched and which not (of course as there is not enough manpower “as much as possible” is probably fine ) Is this a bad thing (and part of the problem) or are such prominent packages managed in a “more organically” way and therefore don’t need a maintainer?
Imagemagick version plus#
the CVE-2016-5841 is still apparently unresolved after over 4 years, plus I have some more questions : There is also security roundup 99 which detected 79 of these CVEs for imagemagick. The worst of them is imagemagick-6.9.11-60 with 81 open CVEs which go up to a score of 9.8 (and some of the CVE’s date back to 2016).
I’ve run vulnix -system on my server which is on the 20.09 branch and it showed a LOT of open CVEs which is a bit concerning.
0 kommentar(er)
