Re: Guidance for CVE triage and listing packages in dla-needed.txt

To: debian-lts@lists.debian.org
Subject: Re: Guidance for CVE triage and listing packages in dla-needed.txt
From: Roberto C. Sánchez <roberto@debian.org>
Date: Mon, 18 Mar 2024 09:31:59 -0400
Message-id: <[🔎] ZfhCT7Fjm1leWFha@connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org
In-reply-to: <[🔎] e424634e-4d62-4f98-9413-618675900a4e@debian.org>
References: <[🔎] ZfNfu-vqni1jBLnH@connexer.com> <[🔎] e424634e-4d62-4f98-9413-618675900a4e@debian.org>

On Mon, Mar 18, 2024 at 01:01:28PM +0100, Emilio Pozuelo Monfort wrote:
> On 14/03/2024 21:36, Roberto C. Sánchez wrote:
> > - if a CVE is 'fixed' in LTS but 'ignored' in (old)stable, then the
> >    security team should be contacted to see if they would be willing to
> >    change to 'no-dsa' so that a point release fix can be made
> 
> Small nitpick: a CVE 'ignored' for (old)stable can still be fixed via point
> release. The sec-team could be contacted to update that triaging, but that's
> only ignored for (old)stable-security, not for (old)stable, where other
> criteria applies. The reason following the ignored triaging may give some
> more insight as to why it was ignored and why it may or may not make sense
> to fix in a point release.
> 
Thanks. I was not aware of this distinction.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Reply to:

References:
- Guidance for CVE triage and listing packages in dla-needed.txt
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: Guidance for CVE triage and listing packages in dla-needed.txt
  - From: Emilio Pozuelo Monfort <pochu@debian.org>

Prev by Date: Re: c-ares, CVE-2023-31147, CVE-2023-31124
Next by Date: Re: Security releases for ecosystems that use static linking
Previous by thread: Re: Guidance for CVE triage and listing packages in dla-needed.txt
Next by thread: Re: Guidance for CVE triage and listing packages in dla-needed.txt
Index(es):
- Date
- Thread