Hi, On 20/03/2020 01:37, Utkarsh Gupta wrote: > I was curious to know if we can (or rather, we should) fix some > CVE(s), which has been marked minor/unimportant by the Security team > or/and the person at front-desk, if there's a demand for it (meaning, > some Jessie user requested it)? > Or, if the maintainer (upstream or downstream or both) wants it to be > fixed in Jessie? These are 2 cases (request from Jessie user or from maintainer) that I yet to see :) Do you have a specific case in mind?
More generally: - minor: when marked no-dsa or postponed (no-dsa substate), usually those are usually fixed later in batch, or along with a normal/major security flaw, to avoid too many security updates (whose impact is not neutral for users) - unimportant: those are more rare and usually not fixed at all, because they are not supposed to impact security in the context of our Debian package Cheers! Sylvain
