Re: Guidance for CVE triage and listing packages in dla-needed.txt

To: debian-lts@lists.debian.org
Subject: Re: Guidance for CVE triage and listing packages in dla-needed.txt
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Mon, 18 Mar 2024 13:01:28 +0100
Message-id: <[🔎] e424634e-4d62-4f98-9413-618675900a4e@debian.org>
In-reply-to: <[🔎] ZfNfu-vqni1jBLnH@connexer.com>
References: <[🔎] ZfNfu-vqni1jBLnH@connexer.com>

On 14/03/2024 21:36, Roberto C. Sánchez wrote:

- if a CVE is 'fixed' in LTS but 'ignored' in (old)stable, then the
   security team should be contacted to see if they would be willing to
   change to 'no-dsa' so that a point release fix can be made

Small nitpick: a CVE 'ignored' for (old)stable can still be fixed via pointrelease. The sec-team could be contacted to update that triaging, but that'sonly ignored for (old)stable-security, not for (old)stable, where other criteriaapplies. The reason following the ignored triaging may give some more insight asto why it was ignored and why it may or may not make sense to fix in a pointrelease.


Cheers,
Emilio

Reply to:

Follow-Ups:
- Re: Guidance for CVE triage and listing packages in dla-needed.txt
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: Guidance for CVE triage and listing packages in dla-needed.txt
  - From: Moritz Muehlenhoff <jmm@inutil.org>

References:
- Guidance for CVE triage and listing packages in dla-needed.txt
  - From: Roberto C. Sánchez <roberto@debian.org>

Prev by Date: Re: Expanding the scope (slightly) of dla-needed.txt
Next by Date: Re: Security releases for ecosystems that use static linking
Previous by thread: Re: Guidance for CVE triage and listing packages in dla-needed.txt
Next by thread: Re: Guidance for CVE triage and listing packages in dla-needed.txt
Index(es):
- Date
- Thread