[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Security Tracker - `no-dsa` Clarification


You may want to read this thread:

I'd suggest you also explain your context, you seem to use the Debian tracker to trigger some action on your part, while the triage is meant to guide the Debian Security / LTS Teams' actions only, and is not particularly fine-grained.

Sylvain Beucler
Debian LTS Team

On 21/11/2022 11:01, Hadas Bloom wrote:
My name is Hadas, I'm in the Snyk Security Group. I've been in contact with you a while back regarding the `no-dsa` field and its different tags.

I just want to further confirm if our understanding of the usage of the various terms (`no-dsa`, `ignored`, `postponed`, "Minor issue") is correct:

1. From this <https://wiki.debian.org/LTS/Development#:~:text=%22no%2Ddsa%22%20is,the%20victim%27s%20infrastructure.> documentation it seems that "Minor issue" should not be used for drawing conclusions on the severity of the vulnerability, but from this <https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory:~:text=Sometimes%20an%20issue%20might%20not%20warrant%20an%20(immediate)%20security%20advisory%2C%20for%20example%20if%20its%20severity%20is%20minor.%20When%20that%27s%20the%20case%2C%20they%20are%20marked%20with%20a%20distribution%20tag%2C%20the%20%3Cno%2Ddsa%3E%20state%20and%20an%20explanation.> documentation it does seem like the severity might mean "minor" in these cases. Could you please clarify that?

2. In our previous conversation there was a suggestion only to use the `ignored` and `postponed` tags to understand the priority of the vulnerability. I do see that there are certain vulnerabilities, for example CVE-2022-45198 <https://security-tracker.debian.org/tracker/CVE-2022-45198> in Buster, that are only marked with "Minor issue" in the `no-dsa` field, and don't have either of the `ignored` or `postponed` tags. Could you please help us understand what we should do in such cases? What does the "Minor issue" suggest here?

Reply to: