Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?

To: debian-security@lists.debian.org
Subject: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
From: te3d4q@sigaint.org
Date: Tue, 11 Oct 2016 14:54:11 -0000
Message-id: <[🔎] eae7d98cc7550642774010d3fa7fdfb4.webmail@localhost>

I read somewhere on a forum that for security vulnerabilities that have
"NVD security" ratings of medium or low risk, Debian's security team may
not issue patches/fixes for them. Only high-risk security vulnerabilities
will be fixed. Is that correct?

I was under the impression that all security vulnerabilities of whatever
their risk ratings will be fixed.

If you are a member of or know someone who is on Debian's security team,
please clarify ask them to clarify it for me. Thanks.

Reply to:

Follow-Ups:
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Re: timing of PHP 5.6 security updates
Next by Date: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Previous by thread: Helping Debian Lists Address S*P*A*M (Was: Activate your GlobalTestMarket membership)
Next by thread: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Index(es):
- Date
- Thread