On Sun, Mar 01, 2020 at 01:27:03PM +0100, Thorsten Alteholz wrote: > > > On Sun, 1 Mar 2020, Emilio Pozuelo Monfort wrote: > > I think we can all agree that the problem here is that there was an > > unexpected > > issue (a security upload getting rejected) that required sort of immediate > > work > > from a third party (an ftp-master). > > I would like to add here, that the CVE in question is marked as no-dsa in > Stretch and Buster, so I don't see that the term "immediate" is appropriate. > And while I am at it, why aren't the other seven CVEs for zsh that are also > marked as no-dsa solved as well? > The stretch/buster triage decision was made after I had completed the jessie package. I happen to think that this particular vulnerability (CVE-2019-20044) merits fixing since it involves a privilege escalation of sorts. The rationale behind the no-dsa decision for stretch/buster is unkown to me.
As far as the other CVEs, it is my practice to review postponed vulnerabilities, but not ignored or no-dsa vulnerabilities. If we are meant to revisit all unfixed vulnerabilities when working on a package, then that is news to me. Regards, -Roberto -- Roberto C. Sánchez
