Comment 23 for bug 1606500
Revision history for this message
| Jeremy Stanley (fungi) wrote Re: Heat: template source URL allows network port scan | #23 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Tristan's impact description in comment #10 looks good to me, unless versions prior to 5.0.0 are also vulnerable (in which case we should omit the <=5.0.0 from the Affects line).
As for "skipping" advance notification but still doing everything else under embargo, I don't think there's a viable middle ground. Either the bug is not severe enough to need an embargo in which case we should go ahead and open it now even if patches aren't ready and CVE assignment hasn't happened, or it's severe enough we need to continue to follow our pre-OSSA downstream notification process with its usual coordination timeline. Waiting to disclose the bug until we have fixes figured out and tracking assigned in private but not giving our downstream stakeholders a heads up about it sends mixed signals to the community at large.