Re: Debian Security Tracker - `no-dsa` Clarification
Hi,
You may want to read this thread:
https://lists.debian.org/debian-security/2021/05/msg00010.html
https://lists.debian.org/debian-security/2021/05/msg00012.html
I'd suggest you also explain your context, you seem to use the Debian
tracker to trigger some action on your part, while the triage is meant
to guide the Debian Security / LTS Teams' actions only, and is not
particularly fine-grained.
Cheers!
Sylvain Beucler
Debian LTS Team
On 21/11/2022 11:01, Hadas Bloom wrote:
My name is Hadas, I'm in the Snyk Security Group. I've been in contact
with you a while back regarding the `no-dsa` field and its different tags.
I just want to further confirm if our understanding of the usage of the
various terms (`no-dsa`, `ignored`, `postponed`, "Minor issue") is correct:
1. From this
<https://wiki.debian.org/LTS/Development#:~:text=%22no%2Ddsa%22%20is,the%20victim%27s%20infrastructure.> documentation it seems that "Minor issue" should not be used for drawing conclusions on the severity of the vulnerability, but from this <https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory:~:text=Sometimes%20an%20issue%20might%20not%20warrant%20an%20(immediate)%20security%20advisory%2C%20for%20example%20if%20its%20severity%20is%20minor.%20When%20that%27s%20the%20case%2C%20they%20are%20marked%20with%20a%20distribution%20tag%2C%20the%20%3Cno%2Ddsa%3E%20state%20and%20an%20explanation.> documentation it does seem like the severity might mean "minor" in these cases. Could you please clarify that?
2. In our previous conversation there was a suggestion only to use the
`ignored` and `postponed` tags to understand the priority of the
vulnerability.
I do see that there are certain vulnerabilities, for example
CVE-2022-45198
<https://security-tracker.debian.org/tracker/CVE-2022-45198> in Buster,
that are only marked with "Minor issue" in the `no-dsa` field, and don't
have either of the `ignored` or `postponed` tags. Could you please help
us understand what we should do in such cases? What does the "Minor
issue" suggest here?
Reply to: