Hi Thorsten, > >Am Fri, May 10, 2024 at 06:39:20PM +0000 schrieb Thorsten Glaser: > >> This is a bit like the limited security support for binutils, > >> I suppose. Could/should we document that in the same places? > > > >Sure thing, this sounds similar to what was done for Lilypond, > > Ah, okay. > > >best to simply ship a similar README.Debian.security within > > I was thinking a README.Debian with: > > -----snip----- > Note on possible security issues from untrusted input: > > Upstream has never considered it on scope that the software > cannot “crash” on incorrect input, unfortunately. There is > also no security or other support for this version branch > from upstream. Please consider this and don’t expose the > software to untrusted, possibly incorrect, input files to > avoid triggering DoS or possible security problems in its > parsers without suitable confining measures. This is even > more true for import filters than for the native formats’ > parsers (and includes the MusicXML import). > > Mu͒seScore Studio was designed to operate as an unconnected > desktop program and not as a remotely accessible service, > so please take care. > -----snap-----
This looks good to me! In the light of yet another CVE being assigned for musescore (https://www.cve.org/CVERecord?id=CVE-2024-44866), could you please make uploads for musescore2 and musescore3 with this file added before the trixie freeze? Thanks, Moritz
