So three python ticket I'm working have a CVE that is "CLOSED WONTFIX". Apparently the patch to fix the DoS issue is intrusive and will not be back ported to the 2.x or earlier 3.x releases by the upstream providers.
It may be possible to bump the python3 packages to python3-3.4 from python3-3.3 to get the patch, but 2.x versions are going to be a mess to fix, RHEL5/6 are not patching.
What is the policy? Do we still try and get the patch or follow upstream as a WONTFIX?
Thanks, David
On 09/05/2014 04:15 AM, David Cafaro wrote:
So three python ticket I'm working have a CVE that is "CLOSED WONTFIX". Apparently the patch to fix the DoS issue is intrusive and will not be back ported to the 2.x or earlier 3.x releases by the upstream providers.
It may be possible to bump the python3 packages to python3-3.4 from python3-3.3 to get the patch, but 2.x versions are going to be a mess to fix, RHEL5/6 are not patching.
What is the policy? Do we still try and get the patch or follow upstream as a WONTFIX?
It depends on whether the WONTFIX was technically correct or not, and what's actually being fixed by the changes. With Python, 2.x WONTFIXs are sometimes abused to encourage migration to 3.x, and we might not want to play along with that. On the other hand, depending on the bug, there could be valid technical concerns which prevent backporting.
security-team@lists.fedoraproject.org