Comment on ICEBlock handled my vulnerability report in the worst possible way

rubin@lemmy.sdf.org ⁨1⁩ ⁨day⁩ ago

• Ulrich@feddit.org ⁨14⁩ ⁨hours⁩ ago

  Well the interesting thing here is that you took the time to type that out while he just blocked the person trying to report a security vulnerability.

  source
• BlueBockser@programming.dev ⁨21⁩ ⁨hours⁩ ago

  The example CVE linked in the article is plausible, though. The server was reportedly running 2.4.57 and the CVE was fixed in 2.4.60, so it’s definitely present in the software. Whether it would actually be exploitable is a different question.

  Overall, I don’t get your point about stable releases and backports. Yes, security patches are backported, but that results in a new release (2.4.60 in this case) which still has to be updated to. It’s not like you can just stay on 2.4.57 and magically still have the fix, that’s just not how software versioning is done.

  source

  • corsicanguppy@lemmy.ca ⁨12⁩ ⁨hours⁩ ago

    The server was reportedly running 2.4.57 and the CVE was fixed in 2.4.60, so it’s definitely present in the software.

    Overall, I don’t get your point about stable releases and backports.

    Clearly. Hint: it’s what Enterprise Linux has done for 20 years.

    source
  • eager_eagle@lemmy.world ⁨13⁩ ⁨hours⁩ ago

    Distros don’t update software versions when backporting some things, meaning they add a suffix they control to the version e.g. 2.4.57-ubuntu1.2 whatever, but the version reported by the software itself might still be 2.4.57.

    source