On 09/05/2014 04:15 AM, David Cafaro wrote:
So three python ticket I'm working have a CVE that is
"CLOSED WONTFIX". Apparently the patch to fix the DoS issue is intrusive and
will not be back ported to the 2.x or earlier 3.x releases by the upstream providers.
It may be possible to bump the python3 packages to python3-3.4 from python3-3.3 to get
the patch, but 2.x versions are going to be a mess to fix, RHEL5/6 are not patching.
What is the policy? Do we still try and get the patch or follow upstream as a WONTFIX?
It depends on whether the WONTFIX was technically correct or not, and
what's actually being fixed by the changes. With Python, 2.x WONTFIXs
are sometimes abused to encourage migration to 3.x, and we might not
want to play along with that. On the other hand, depending on the bug,
there could be valid technical concerns which prevent backporting.
Florian Weimer / Red Hat Product Security