Re: no-dsa for Samba CVEs in Debian.
On Tue, May 18, 2021 at 09:38:30AM +1200, Andrew Bartlett wrote:
> On Mon, 2021-05-17 at 22:17 +0200, Sylvain Beucler wrote:
> > Hello Andrew,
> >
> > I read your message as well as
> > https://alioth-lists.debian.net/pipermail/pkg-samba-maint/2021-May/022771.html
> > and I believe I can add a few more pointers, as part of the
> > (separate)
> > Debian Long Term Support (LTS) team.
> >
> > (I'm a bit confused because you're listed as a Debian package
> > maintainer at https://packages.debian.org/sid/samba but I assume
> > you're asking from upstream / Samba maintainers' point of view.)
>
> Yeah, I helped build the current monster, and try to help out when I
> can, mostly in terms of advise, but I've increasingly stepped back. My
> various Debian privileges, such as I had them, have expired and I
> should probably be retired to 'lurker' status.
>
> > First "no-dsa" (and its sub-states ignored/postponed) is described
> > at:
> > https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory
> > Note that no-dsa usually means fixing the issue is not
> > urgent/critical,
> > needs not high-priority tracking/action from the Security Team, but
> > the package maintainer(s) may track and prepare a fix nonetheless,
> > e.g. through Debian's quarterly point releases (10.x).
> > Likewise, I read "Minor issue" as "non-critical".
> >
> > By contrast, "unimportant" is a lesser severity state, and matching
> > CVEs will likely never be fixed due to inapplicability in Debian or
> > questionable security relevance.
>
> Can you clarify the mapping between "Minor issue"/"non-critical" and
> the Severity levels table? Samba generally only issues a CVE for
> things that are "medium" or above.
You mean the NVD severities? We do not use those values for deciding
the Debian specific assessment if an issue warrants a DSA or not, but
the tracker displays them them as part of fetching the NVD data.
Regards,
Salvatore
Reply to: