Dear maintainer,
I would like to clarify the appropriate circumstances under which a Debian bug report should be submitted for CVE-related fixes. Specifically, I'm uncertain about the following five scenarios: Condition 1: The fix is already applied in sid, Trixie, but not yet in Bookworm. (Example: CVE-2024-57823) Am I allowed to prepare and submit patches for multiple Debian versions (e.g., Bookworm, Bullseye)? Or will the Debian team backport the fix themselves later? Should external contributors avoid submitting patches in such cases? Condition 2: The fix is available but not applied in any Debian release yet. (Example: CVE-2025-31344) Am I allowed to prepare and submit patches for multiple Debian versions (e.g., Sid, Trixie, Bookworm, Bullseye)? If yes, should I reply to the existing bug report and attach the patch, or should I open separate bug reports for each affected release? Condition 3: A fix is available in the latest upstream version, but the CVE has no Debian bug ID. (Example: CVE-2023-4133) May I submit a patch to Debian in this case as well, even though no bug is currently filed? If so, should I first open a Debian bug and then submit the patch there? Condition 4: The CVE has no associated Debian bug ID and no upstream fix yet. (Example: CVE-2020-36694) If I am able to develop a fix myself, may I submit it to Debian for affected versions? Also, how can I link the new Debian bug report to the CVE so that the bug appears on the CVE tracker? Condition 5: There is no fix available yet from upstream, and the CVE already has a bug ID. (Example: CVE-2024-58036) I understand Debian usually waits for upstream to release a patch. However, is there a way I can notify Debian once upstream does publish the fix, so that the CVE tracker can be updated accordingly? Thank you for your time and guidance. I appreciate your support and would like to contribute patches in the most efficient and helpful way. Best regards, Rong
