Comment 6 for bug 1706900
Revision history for this message
| Nils Toedtmann (m-launchpad-net-mail-nils-toedtmann-net) wrote | #6 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
Thanks for fixing so quickly once this ticket was raised!
I have questions though about the time before.
rabbitmq-server is in the Canonical-supported 'main' repo of two active Ubuntu LTS releases. In Dec 2016, a security issue and a patch are published upstream, rated 'critical'. Debian rates it as 'high' and releases updates within a month. At some point in time (I can't way when), the issue appears in Ubuntu's CVE tracker (see above) and gets marked 'medium'. Other than that, nothing happens at Ubuntu until a random user (me) stumbles upon it and files this very bug report.
- Why was this bug rated lower than upstream ('medium' rather than 'critical')?
- What is the CVE tracker for, if not triggering the process leading to security updates where necessary?
- Are there targets defined/documented somewhere, how quickly upstream security patches ought to be integrated into 'main' LTS packages?
- Assuming we agree that 7 month is too long (right?), what is being done to make sure those targets are met?