How to handle CVE marked "WONTFIX"

Thursday, 4 September 2014

So three python ticket I'm working have a CVE that is "CLOSED WONTFIX". 
Apparently the patch to fix the DoS issue is intrusive and will not be back ported to the
2.x or earlier 3.x releases by the upstream providers.

It may be possible to bump the python3 packages to python3-3.4 from python3-3.3 to get the
patch, but 2.x versions are going to be a mess to fix, RHEL5/6 are not patching.

What is the policy?  Do we still try and get the patch or follow upstream as a WONTFIX?

Thanks,
David

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

How to handle CVE marked "WONTFIX"