2016.09.23 17:03 "Re: [Tiff] LibTIFF vulnerabilities", by Lee Howard
On 09/23/2016 08:15 AM, Bob Friesenhahn wrote:
While a fix may be commited to libtiff CVS expediently, this does not necessarily result in an expedient fix to the millions of copies of libtiff which are already in use.
Ideally there would be a coordinated release that involved packages at as many distributions as possible... RedHat, SuSE, Fedora, Debian, Ubuntu, etc.
That said, the most-recently fixed vulnerabilities were in the tools side rather than the library side... so that mitigates the risks considerably. If these vulnerabilities are similarly risk-mitigated, then the effort for a coordinated release may not be wholly necessary or even more-productive than an earlier announcement.