Hi Ola, On Tue, May 17, 2022 at 12:35 PM Ola Lundqvist <o...@inguza.com> wrote: > While triaging today I noticed this rather old CVE. The elog package > is clearly vulnerable (at least when looking through the source code). > However I noticed that elog is removed (exists in buster and bullseye > though) and it has a very low popcon score. > > Is it worth fixing?
I think this is a "<postponed> (Fix along with the next DLA)" candidate. It doesn't appear to be severe to warrant a DLA independently (unless I've overlooked something here). > If not, we should say that this package is unsupported. I don't think so. The only open CVE has a fix present. We should only mark something as unsupported when there's a solid reason to, for instance, the number of CVEs are too much with no or little help/cooperation from upstream, et al, et al. In this case, I don't think we should mark this as EOL yet. - u
