[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: pluxml issues are questionable, request for advice

severity 973382 normal

Hi Moritz and Adrian

Thank you for the advice. I have now marked these two CVEs as unimportant.
I have also downgraded the bug (with this email).

If someone does not agree, it is easy to revert my actions.


// Ola

On Wed, 16 Dec 2020 at 13:58, Moritz Mühlenhoff <jmm@inutil.org> wrote:
On Wed, Dec 16, 2020 at 10:28:47AM +0200, Adrian Bunk wrote:
> On Wed, Dec 16, 2020 at 07:36:19AM +0100, Ola Lundqvist wrote:
> > Hi LTS team
> >
> > I have checked two of the pluxml issues
> > CVE-2020-18184
> >  This vulnerability is questioned upstream.
> >...
> > The question is how this should be marked:
> > - no-dsa minor issue?
> > - ignored?
> >...
> "not a vulnerability" or "no security impact" is usually marked
> "unimportant", see e.g.
> https://security-tracker.debian.org/tracker/source-package/python3.7
> For pluxml the same CVEs are "vulnerable" in stable+unstable and with RC
> bug #973382 open, the security team should know best how to handle this
> based on your analysis.

When filing bugs in the BTS, the impact isn't always obvious and when in
doubt filed with high severity to be on the safe side (maintainer can
always downgrade anyway). If these are non issues, it's usually best to reach
out to upstream and get the CVE disputed or rejected, but it seems noone
replied to Seth Arnold's question in issue 320 since October, so that's
probably in vain, so feel free to mark these as <unimportant>.


 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

Reply to: