Hi, On 22/07/19 1:13 pm, Brian May wrote: > I am a bit unclear when we should be some issues, and when we should be > marking them as no-DSA (or similar). > > For example, webpack was three issues: > > - CVE-2019-1010315: divide by zero > - CVE-2019-1010317: use of uninitialized memory. > - CVE-2019-1010319: use of uninitialized memory. > > All three issues have been marked no-DSA by the security team. Does that > mean we should do the same thing? > > I don't think there is any proven direct security vulnerabilty (other > then maybe a DOS attack by killing a remote service), however that does > not mean there isn't a security vulnerabilty, especially for the 2nd two > CVEs. >
If you see it as trivial. You can mark as <postponed> and can fix with later updates. --abhijith.
