Re: pluxml issues are questionable, request for advice

To: Ola Lundqvist <ola@inguza.com>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: pluxml issues are questionable, request for advice
From: Adrian Bunk <bunk@debian.org>
Date: Wed, 16 Dec 2020 10:28:47 +0200
Message-id: <[🔎] 20201216082847.GA21088@localhost>
In-reply-to: <[🔎] CABY6=0k+BBy+V7V2UpGh8wDcW87za-x_DG0HPqcGev5v9TubLQ@mail.gmail.com>
References: <[🔎] CABY6=0k+BBy+V7V2UpGh8wDcW87za-x_DG0HPqcGev5v9TubLQ@mail.gmail.com>

On Wed, Dec 16, 2020 at 07:36:19AM +0100, Ola Lundqvist wrote:
> Hi LTS team
> 
> I have checked two of the pluxml issues
> CVE-2020-18184
>  This vulnerability is questioned upstream.
>...
> The question is how this should be marked:
> - no-dsa minor issue?
> - ignored?
>...

"not a vulnerability" or "no security impact" is usually marked 
"unimportant", see e.g.
https://security-tracker.debian.org/tracker/source-package/python3.7

For pluxml the same CVEs are "vulnerable" in stable+unstable and with RC 
bug #973382 open, the security team should know best how to handle this
based on your analysis.

> Best regards
> 
> // Ola

cu
Adrian

Reply to:

Follow-Ups:
- Re: pluxml issues are questionable, request for advice
  - From: Moritz Mühlenhoff <jmm@inutil.org>

References:
- pluxml issues are questionable, request for advice
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: pluxml issues are questionable, request for advice
Next by Date: Re: pluxml issues are questionable, request for advice
Previous by thread: pluxml issues are questionable, request for advice
Next by thread: Re: pluxml issues are questionable, request for advice
Index(es):
- Date
- Thread