Re: security upload imposing load on other parts of Debian
On Sun, Mar 01, 2020 at 01:27:03PM +0100, Thorsten Alteholz wrote:
>
>
> On Sun, 1 Mar 2020, Emilio Pozuelo Monfort wrote:
> > I think we can all agree that the problem here is that there was an unexpected
> > issue (a security upload getting rejected) that required sort of immediate work
> > from a third party (an ftp-master).
>
> I would like to add here, that the CVE in question is marked as no-dsa in
> Stretch and Buster, so I don't see that the term "immediate" is appropriate.
> And while I am at it, why aren't the other seven CVEs for zsh that are also
> marked as no-dsa solved as well?
>
The stretch/buster triage decision was made after I had completed the
jessie package. I happen to think that this particular vulnerability
(CVE-2019-20044) merits fixing since it involves a privilege escalation
of sorts. The rationale behind the no-dsa decision for stretch/buster
is unkown to me.
As far as the other CVEs, it is my practice to review postponed
vulnerabilities, but not ignored or no-dsa vulnerabilities. If we are
meant to revisit all unfixed vulnerabilities when working on a package,
then that is news to me.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: