Hello everyone, I'll merge my replies to Moritz and Salvatore into a single email.
Moritz, On Tue, 29 Oct 2024 at 19:15, Moritz Mühlenhoff <j...@inutil.org> wrote: > I'm also in favour of changing the tracking. The current procedure addresses a > fringe use case (supporting rebuilds of source packages) in an incomplete > manner > and leaves too much room for confusion. Right, so as a part of this change, we need to make sure we always allow older releases to still be marked as affected or any other status. I assume all the code that needs to be updated for this lives under the security-tracker package, right? Salvatore, On Tue, 29 Oct 2024 at 19:43, Salvatore Bonaccorso <car...@debian.org> wrote: > As mentioned in an earlier message: What I would love to see is to > actually have a substate which makes the situation clear, and still > beeing technically correct. I was envisioning something which would be > a substate like we have for the substate of no-dsa (ignored, > postponed). This sounds like the solution proposal A2, quoting it: > ## A2) Add a new mutually exclusive state to the set: "not-affected-build-artifacts" Would this be aligned to what you're looking for? > Can it be that in this case the "unimportant" part of the CVE was > ignored? It did show up as unimportant in my report, but it was still marked as affecting. >In this case even if it would have been still unfixed, it was > marked from the beginning as unimportant. What I have seen often here > was that scannings were not taking into account that the whole CVE was > classified unimportant. I've realized that by the time I sent my email it had already been updated in the tracker to not-affected (I used scan results from roughly 1 week before the email), happy coincidence but we were claiming to be affected for 5 years until then. This CVE is now marked as fixed in our tracker as the upstream version we ship mitigated that (even though Debian was never really affected). So a new scan today for oldstable/stable will have this as a fixed CVE and there's no false-positive, at least for oldstable and newer. It is still marked as affecting buster and older releases and so users might think they are fixing something through the upgrade: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abda8e71a6c2e45c8219c9fb86792fb4da2468cb Freexian's security tracker to show that buster and olders are still affected per the current process: https://deb.freexian.com/extended-lts/tracker/CVE-2019-19882 Thank you for the feedback so far! -- Samuel Henrique <samueloph>
