on "vulnerabilities" (Re: CVE-2025-30258 (was: [Announce] GnuPG 2.5.5 released))
Bernhard Reiter
bernhard at intevation.de
Tue Mar 25 16:23:46 CET 2025
Am Dienstag 25 März 2025 15:11:07 schrieb Bernhard Reiter via Gnupg-users:
> omeone assigned a low/medium CVE number for this vulnerability:
To clarify, I wrote
While by common definitions, this defect is a software vulnerability, the low
CVSSv3 (2.7 by Redhat) shows that it is not something which needs a quick
fix. Even a CVE number is not really helpful. The reasons are:
* if defects like this get CVE numbers, then many regular improvements in
software development would need to get one. Which is too many to be useful.
The significant vulnerabilities that must be fixed quickly would be drowned
within regular _fixes_.
* the term _vulnerability_ sometimes triggers the need for a patch or a fast
fix - out of the regular schedule. Those fixes come with their own risks
because of the accelerated development. As we have a low severity thing here,
a quick fix is potentially less secure than a regular maintenance release.
In that sense we do not have a _vulnerability_ - as we do not need a quick fix
and it is more like a regular defect for which there are many.
to
https://forum.gnupg.org/t/any-new-gpg4win-update-beyond-version-4-4-0-planned/6402/7?u=bernhard
Bernhard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250325/e255d6a7/attachment.sig>
More information about the Gnupg-users
mailing list