[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian 12 security issue - please help to understand

Rafał Lichwała wrote: 
> 
> On 29.01.2025 2:12 PM, Dan Ritter wrote:
> > The notes say:
> > 
> > [bookworm] - zlib <ignored> (contrib/minizip not built and src:zlib not producing binary packages)
> > 
> > In other words, there's no point in fixing it because Debian
> > doesn't build the vulnerable binary component.
> > 
> > Very low priority.
> 
> Could you please drop a link to those notes?

It's in the links that you sent.


> If CVSS is "critical" and Debian tracking system says "bookworm -
> vulnerable", so why it has low priority?
> 
> Maybe I just don;t understand the process of this "Debian doesn't build the
> vulnerable binary component", so please clarify in more details.
> 
> > CVSS are often bogus.
> 
> Hmmm... I'm not sure what you mean. All security announcements in DSAs are
> referring to CVSS, so... what's the source of such opinion?


Most recently: https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/

 
> You say: minor, minor, it appears to only exist in Android
> 
> Really? :-)

I read the notes. You sent the links, you should read them.

-dsr-
Reply to: