On Fri, Jan 31, 2020 at 06:27:46AM +0100, Rafael Sadowski wrote: > The diff contains some forgotten CVE entries in quirks. I went through > all the January commits and looked for CVE in the commit msg. > > I also ran sort over the list. > > OK, opinions? > + 'net/rsync' => 'rsync-<3.1.3p0',
Speaking more specifically about that one, the commit message for rsync does explain that the CVE status is very much dubious for the fixes. So adding it to quirks so that later we don't get into problems is good, but it's definitely NOT an emergency. It's getting to the point that you actually have to read CVEs to figure out whether they are vulnerabilities or not. There's a huge difference between Qualys's analysis and some undefined behavior that behaves the same way in every architecture we have! It's not really a problem to add things to the $cve list to be certain we don't miss anything, but it's more of a question of whether or not that stuff needs to hit stable. Quirks is reasonably cheap. Backporting fixes can be more costly, as we've seen with firefox recently... It's a bit annoying that you can no longer really trust CVE to really be that, but I guess it was bound to happen.
