CVE-2020-8859 for elog, should we support it?

To: Debian LTS <debian-lts@lists.debian.org>
Subject: CVE-2020-8859 for elog, should we support it?
From: Ola Lundqvist <ola@inguza.com>
Date: Tue, 17 May 2022 09:05:03 +0200
Message-id: <[🔎] CABY6=0=T1_jMwZXAmBDG69RyXFduUu6jTBe4z6iCB9+XJThjAw@mail.gmail.com>

Hi team

While triaging today I noticed this rather old CVE. The elog package
is clearly vulnerable (at least when looking through the source code).
However I noticed that elog is removed (exists in buster and bullseye
though) and it has a very low popcon score.

Is it worth fixing?

If not, we should say that this package is unsupported.

Cheers

// Ola

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: CVE-2020-8859 for elog, should we support it?
  - From: Utkarsh Gupta <guptautkarsh2102@gmail.com>

Prev by Date: Question and proposed change for lts-cve-triage.py
Next by Date: fis-gtm and support?
Previous by thread: Re: Tracking buster/stable updates suitable for LTS
Next by thread: Re: CVE-2020-8859 for elog, should we support it?
Index(es):
- Date
- Thread