severity 973382 normal thanks Hi Moritz and Adrian
Thank you for the advice. I have now marked these two CVEs as unimportant. I have also downgraded the bug (with this email). If someone does not agree, it is easy to revert my actions. Cheers // Ola On Wed, 16 Dec 2020 at 13:58, Moritz Mühlenhoff <j...@inutil.org> wrote: > On Wed, Dec 16, 2020 at 10:28:47AM +0200, Adrian Bunk wrote: > > On Wed, Dec 16, 2020 at 07:36:19AM +0100, Ola Lundqvist wrote: > > > Hi LTS team > > > > > > I have checked two of the pluxml issues > > > CVE-2020-18184 > > > This vulnerability is questioned upstream. > > >... > > > The question is how this should be marked: > > > - no-dsa minor issue? > > > - ignored? > > >... > > > > "not a vulnerability" or "no security impact" is usually marked > > "unimportant", see e.g. > > https://security-tracker.debian.org/tracker/source-package/python3.7 > > > > For pluxml the same CVEs are "vulnerable" in stable+unstable and with RC > > bug #973382 open, the security team should know best how to handle this > > based on your analysis. > > When filing bugs in the BTS, the impact isn't always obvious and when in > doubt filed with high severity to be on the safe side (maintainer can > always downgrade anyway). If these are non issues, it's usually best to > reach > out to upstream and get the CVE disputed or rejected, but it seems noone > replied to Seth Arnold's question in issue 320 since October, so that's > probably in vain, so feel free to mark these as <unimportant>. > > Cheers, > Moritz > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
