Re: Question about tinymce dsa/no-dsa decisions
Hi Ola,
On 12/03/2024 20:52, Ola Lundqvist wrote:
I have claimed the package myself now. I think the conclusion will be
that all are minor issues and the package do not need an update. But we
will see when I have gone through all the CVEs.
tinymce is only available up to buster, so we don't have to sync with
stable/oldstable, and can make a decision directly.
However if you look more closely, you can see that all
those CVEs are of "cross site scripting" nature and when you look at
the rest of the issues in that list there are many more with the
same type of issue and then marked as no-dsa.
In this case, XSS is defeating the core feature of the tool, so I would
fix them.
If I would have triaged this package as front-desk I would have
marked the rest the same with the reasoning that there are anyway so
many of the same type so it does not help to fix a few others.
The newer CVEs weren't shown in FD's tools since it was already added to
dla-needed.txt, hence why they weren't triaged.
So my question is:
- Should those CVEs that are not no-dsa today be marked as no-dsa
and in that case the package to be removed from dla-needed?
or
- Should the XSS type issues already be marked as no-dsa in fact
have the no-dsa tag removed and we should fix them as well?
See also my other mail on interpreting "no-dsa" in the context of LTS.
Here we've got a bunch of postponed XSS to fix, and a sponsor, so I'd
say go ahead a publish a DLA to fix them all :)
Cheers!
Sylvain
FD this week
Reply to: