Hi Ola,
On 12/03/2024 20:52, Ola Lundqvist wrote:
> I have claimed the package myself now. I think the conclusion will be
> that all are minor issues and the package do not need an update. But we
> will see when I have gone through all the CVEs.
tinymce is only available up to buster, so we don't have to sync with
stable/oldstable, and can make a decision directly.
> However if you look more closely, you can see that all
> those CVEs are of "cross site scripting" nature and when you look at
> the rest of the issues in that list there are many more with the
> same type of issue and then marked as no-dsa.
In this case, XSS is defeating the core feature of the tool, so I would
fix them.
> If I would have triaged this package as front-desk I would have
> marked the rest the same with the reasoning that there are anyway so
> many of the same type so it does not help to fix a few others.
The newer CVEs weren't shown in FD's tools since it was already added to
dla-needed.txt, hence why they weren't triaged.
> So my question is:
> - Should those CVEs that are not no-dsa today be marked as no-dsa
> and in that case the package to be removed from dla-needed?
> or
> - Should the XSS type issues already be marked as no-dsa in fact
> have the no-dsa tag removed and we should fix them as well?
See also my other mail on interpreting "no-dsa" in the context of LTS.
Here we've got a bunch of postponed XSS to fix, and a sponsor, so I'd
say go ahead a publish a DLA to fix them all :)
Cheers!
Sylvain
FD this week