If it is security issue, it needs to be rated correctly. It is okay to
assign CVE ID to issue, even if it is low or medium severity. Yes, we do
not backport medium or low CVEs always, especially if fixing them in
older versions is complicated and requires non-trivial rewriting.
We would backport even _important_ issues without CVE ids into releases
with _full_ support. But it has to have known reproducer and have no
simple workaround in configuration. I do not think this is such case.
If this is a problem in configuration generator, then fix the generator
or validate inputs from the user.
Petr
On 27/10/2025 21:40, Sebastian Pipping wrote:
Hello Stuart,
On 10/27/25 20:45, Stuart Henderson wrote:
On 2025/10/27 19:51, Sebastian Pipping wrote:
Also, fixes without a CVE will not be backported downstream.
That depends on the downstream.
I'm happy to learn which downstreams backport security issues
without a CVE, in practice. Do you have an example or two?
Thanks and best
Sebastian
--
Petr Menšík
Senior Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
