Re: Question about tinymce dsa/no-dsa decisions

[Sylvain Beucler <beuc@beuc.net>]

Hi Ola,

On 12/03/2024 20:52, Ola Lundqvist wrote:
> I have claimed the package myself now. I think the conclusion will be 
> that all are minor issues and the package do not need an update. But we 
> will see when I have gone through all the CVEs.

tinymce is only available up to buster, so we don't have to sync with 
stable/oldstable, and can make a decision directly.

>     However if you look more closely, you can see that all
>     those CVEs are of "cross site scripting" nature and when you look at
>     the rest of the issues in that list there are many more with the
>     same type of issue and then marked as no-dsa.

In this case, XSS is defeating the core feature of the tool, so I would 
fix them.

>     If I would have triaged this package as front-desk I would have
>     marked the rest the same with the reasoning that there are anyway so
>     many of the same type so it does not help to fix a few others.

The newer CVEs weren't shown in FD's tools since it was already added to 
dla-needed.txt, hence why they weren't triaged.

>     So my question is:
>     - Should those CVEs that are not no-dsa today be marked as no-dsa
>     and in that case the package to be removed from dla-needed?
>     or
>     - Should the XSS type issues already be marked as no-dsa in fact
>     have the no-dsa tag removed and we should fix them as well?

See also my other mail on interpreting "no-dsa" in the context of LTS.

Here we've got a bunch of postponed XSS to fix, and a sponsor, so I'd 
say go ahead a publish a DLA to fix them all :)

Cheers!
Sylvain
FD this week