On Wed, Dec 16, 2020 at 07:36:19AM +0100, Ola Lundqvist wrote: > Hi LTS team > > I have checked two of the pluxml issues > CVE-2020-18184 > This vulnerability is questioned upstream. >... > The question is how this should be marked: > - no-dsa minor issue? > - ignored? >...
"not a vulnerability" or "no security impact" is usually marked "unimportant", see e.g. https://security-tracker.debian.org/tracker/source-package/python3.7 For pluxml the same CVEs are "vulnerable" in stable+unstable and with RC bug #973382 open, the security team should know best how to handle this based on your analysis. > Best regards > > // Ola cu Adrian
