Re: Question about tinymce dsa/non-dsa decisions

[Ola Lundqvist <ola@inguza.com>]

Hi

I have claimed the package myself now. I think the conclusion will be that all are minor issues and the package do not need an update. But we will see when I have gone through all the CVEs.

// Ola

On Sun, 10 Mar 2024 at 23:26, Ola Lundqvist <ola@inguza.com> wrote:

Hi

This time I have a question about the package tinymce. It is also in dla-needed but I'm not sure why.

I can see that there are a few CVEs that do not have the no-dsa mark. So far I understand and based on that it should be part of dla-needed. However if you look more closely, you can see that all those CVEs are of "cross site scripting" nature and when you look at the rest of the issues in that list there are many more with the same type of issue and then marked as no-dsa.

If I would have triaged this package as front-desk I would have marked the rest the same with the reasoning that there are anyway so many of the same type so it does not help to fix a few others.

So my question is:

- Should those CVEs that are not no-dsa today be marked as no-dsa and in that case the package to be removed from dla-needed?

or

- Should the XSS type issues already be marked as no-dsa in fact have the no-dsa tag removed and we should fix them as well?

Cheers

// Ola

--

 --- Inguza Technology AB --- MSc in Information Technology ----

|  ola@inguza.com                    opal@debian.org            |

|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

 ---------------------------------------------------------------

--

 --- Inguza Technology AB --- MSc in Information Technology ----

|  ola@inguza.com                    opal@debian.org            |

|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

 ---------------------------------------------------------------