Comment 178 for bug 2059809
Revision history for this message
| Jeremy Stanley (fungi) wrote Re: Arbitrary file access through QCOW2 external data file (CVE-2024-32498) | #178 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Kurt: We do notify and supply upstream patches to any public OpenStack cloud providers who express interest, not just representatives of distributions.
That said, it's also typical for most general GNU/Linux distributions, I think, to push fixed packages to their mirrors some hours ahead of upstream and downstream advisory publication. Distributing fixes in advance is fine with me as long as the window of time between fix availability and advisory publication is short enough (24 hours at most, but ideally more like 3-6?). Publishing commit messages, changelogs, release notes, or other detailed explanations of the issues should be avoided prior to the upstream announcement however.