I agree with Utkarsh, Even one CVE should be
fixed if there are no objective reasons not to do it.
Yes, if it is minor, it can be postponed, but not longer
over a reasonable amount of time.
Regards
Anton
Am Di., 17. Mai 2022 um 14:28 Uhr schrieb Utkarsh Gupta
<guptautkarsh2102@gmail.com>:
>
> Hi Ola,
>
> On Tue, May 17, 2022 at 12:35 PM Ola Lundqvist <ola@inguza.com> wrote:
> > While triaging today I noticed this rather old CVE. The elog package
> > is clearly vulnerable (at least when looking through the source code).
> > However I noticed that elog is removed (exists in buster and bullseye
> > though) and it has a very low popcon score.
> >
> > Is it worth fixing?
>
> I think this is a "<postponed> (Fix along with the next DLA)"
> candidate. It doesn't appear to be severe to warrant a DLA
> independently (unless I've overlooked something here).
>
> > If not, we should say that this package is unsupported.
>
> I don't think so. The only open CVE has a fix present. We should only
> mark something as unsupported when there's a solid reason to, for
> instance, the number of CVEs are too much with no or little
> help/cooperation from upstream, et al, et al. In this case, I don't
> think we should mark this as EOL yet.
>
>
> - u
>