Re: Debian Security Tracker - `no-dsa` Clarification

To: Hadas Bloom <hadas.bloom@snyk.io>, debian-security@lists.debian.org
Cc: Leeya Shaltiel <leeya@snyk.io>, Gur Shafriri <gur.shafriri@snyk.io>, Tal Dromi <tal.dromi@snyk.io>
Subject: Re: Debian Security Tracker - `no-dsa` Clarification
From: Sylvain Beucler <beuc@beuc.net>
Date: Mon, 21 Nov 2022 13:44:16 +0100
Message-id: <[🔎] 4913f7a2-01b2-eb90-58b4-e0a2a6756bec@beuc.net>
In-reply-to: <[🔎] CA+=Z2kjHuL1=rTf4-jKPv3W5r30jh-R5K-+KURcZhS_vJ5PV3w@mail.gmail.com>
References: <[🔎] CA+=Z2kjHuL1=rTf4-jKPv3W5r30jh-R5K-+KURcZhS_vJ5PV3w@mail.gmail.com>

Hi,

You may want to read this thread:
https://lists.debian.org/debian-security/2021/05/msg00010.html
https://lists.debian.org/debian-security/2021/05/msg00012.html

I'd suggest you also explain your context, you seem to use the Debiantracker to trigger some action on your part, while the triage is meantto guide the Debian Security / LTS Teams' actions only, and is notparticularly fine-grained.


Cheers!
Sylvain Beucler
Debian LTS Team

On 21/11/2022 11:01, Hadas Bloom wrote:

My name is Hadas, I'm in the Snyk Security Group. I've been in contactwith you a while back regarding the `no-dsa` field and its different tags.
I just want to further confirm if our understanding of the usage of thevarious terms (`no-dsa`, `ignored`, `postponed`, "Minor issue") is correct:
1. From this<https://wiki.debian.org/LTS/Development#:~:text=%22no%2Ddsa%22%20is,the%20victim%27s%20infrastructure.> documentation it seems that "Minor issue" should not be used for drawing conclusions on the severity of the vulnerability, but from this <https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory:~:text=Sometimes%20an%20issue%20might%20not%20warrant%20an%20(immediate)%20security%20advisory%2C%20for%20example%20if%20its%20severity%20is%20minor.%20When%20that%27s%20the%20case%2C%20they%20are%20marked%20with%20a%20distribution%20tag%2C%20the%20%3Cno%2Ddsa%3E%20state%20and%20an%20explanation.> documentation it does seem like the severity might mean "minor" in these cases. Could you please clarify that?
2. In our previous conversation there was a suggestion only to use the`ignored` and `postponed` tags to understand the priority of thevulnerability.I do see that there are certain vulnerabilities, for exampleCVE-2022-45198<https://security-tracker.debian.org/tracker/CVE-2022-45198> in Buster,that are only marked with "Minor issue" in the `no-dsa` field, and don'thave either of the `ignored` or `postponed` tags. Could you please helpus understand what we should do in such cases? What does the "Minorissue" suggest here?

Reply to:

References:
- Debian Security Tracker - `no-dsa` Clarification
  - From: Hadas Bloom <hadas.bloom@snyk.io>

Prev by Date: Debian Security Tracker - `no-dsa` Clarification
Next by Date: Upcoming stable point release (11.6)
Previous by thread: Debian Security Tracker - `no-dsa` Clarification
Next by thread: Upcoming stable point release (11.6)
Index(es):
- Date
- Thread