Re: Guidance for CVE triage and listing packages in dla-needed.txt
On Mon, Mar 18, 2024 at 09:40:45PM +0100, Moritz Muehlenhoff wrote:
> Emilio Pozuelo Monfort wrote:
> > Small nitpick: a CVE 'ignored' for (old)stable can still be fixed via point
> > release. The sec-team could be contacted to update that triaging, but that's
> > only ignored for (old)stable-security, not for (old)stable, where other
> > criteria applies. The reason following the ignored triaging may give some
> > more insight as to why it was ignored and why it may or may not make sense
> > to fix in a point release.
>
> That's not in line with established practices, see
> https://security-team.debian.org/triage.html
>
> | Some packages should rather not be fixed at all, e.g. because the possible
> | benefit does not outweigh the risk/costs of an update, or because an update
> | is not possible (e.g. as it would introduce behavioural changes not appropriate
> | for a stable release). In the Security Tracker these are tracked with the
> | <ignored> state.
But there is a problem that many <ignored> are not correct,
or at least lack a valid justification:
$ git grep "<ignored> (Minor issue)" | grep bookworm | wc -l
29
$ git grep "<ignored> (Minor issue)" | grep bullseye | wc -l
191
$
"Minor issue" is a good justification for no-dsa, but not for ignored.
And when I look through some of these I see CVEs like CVE-2023-48958[1]
where <ignored> is likely outright wrong, or (unlikely) lacks an
explanation that it causes a regression.
> Cheers,
> Moritz
cu
Adrian
[1] https://security-tracker.debian.org/tracker/CVE-2023-48958
Reply to: