Comment 10 for bug 634183

MITRE assigned these CVEs. We can certainly dispute the CVE assignment if we feel it is in error.

If rpm doesn't set POSIX ACLs then we probably should dispute it (regardless of the other capabilities because each of those has their own CVE name). It can't be a vulnerability if rpm never sets them (and I don't think we can call it a vulnerability in rpm if an admin sets a POSIX ACL, the file gets hardlinked, and rpm doesn't remove the ACLs that a) it never set and b) doesn't know about).