The notes say: [bookworm] - zlib <ignored> (contrib/minizip not built and src:zlib not producing binary packages) In other words, there's no point in fixing it because Debian doesn't build the vulnerable binary component. Very low priority.
Could you please drop a link to those notes?
If CVSS is "critical" and Debian tracking system says "bookworm - vulnerable", so why it has low priority?
Maybe I just don;t understand the process of this "Debian doesn't build the vulnerable binary component", so please clarify in more details.
CVSS are often bogus.
Hmmm... I'm not sure what you mean. All security announcements in DSAs are referring to CVSS, so... what's the source of such opinion?
Also a bit enigmatic explanation for me...Similar problem in second critical on the list: package "libaom3" which is a binary package from "aom": https://security-tracker.debian.org/tracker/source-package/aomIt could crash on invalid input. That's minor. It could crash on invalid input. Also minor. It could potentially be used to execute code in the privilege of the user running the software, which is bad, but it appears to only exist in Android, so Debian thinks it is not interesting.
You say: minor, minor, it appears to only exist in Android
Really? :-)