On Sun, 1 Mar 2020, Roberto C. Sánchez wrote:
The rationale behind the no-dsa decision for stretch/buster is unkown to me.
Even upstream said in the announcement [1] (linked from the security tracker) that it is only a minor vulnerability.
As far as the other CVEs, it is my practice to review postponed vulnerabilities, but not ignored or no-dsa vulnerabilities. If we are meant to revisit all unfixed vulnerabilities when working on a package, then that is news to me.
According to [2] no-dsa means that there should be no immediate DSA/DLA. Only <ignored> ones never get an update.
Thorsten [1] https://www.zsh.org/mla/zsh-announce/141 [2] https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory