Bug#995785: Various vulnerabilities in mapserver
Max Kellermann
max at blarg.de
Tue Oct 5 19:50:47 BST 2021
On 2021/10/05 20:38, Sebastiaan Couwenberg <sebastic at xs4all.nl> wrote:
> Security issues in packages are tracked via CVEs in:
>
> https://security-tracker.debian.org/tracker/
>
> Only high severity issues are worth our time to fix in stable. If you
> don't follow proper procedure and get CVEs for your security issues,
> they won't get any severity assigned and hence won't get fixed in stable.
Your stance contradicts with what's documented on
https://www.debian.org/security/
"We handle all security problems brought to our attention and ensure
that they are corrected within a reasonable timeframe."
Nothing about CVE requirement on that page. Nor here:
https://www.debian.org/security/cve-compatibility
Or here:
https://www.debian.org/security/faq#handling
"How is security handled in Debian? Once the security team receives
a notification of an incident, one or more members review it and
consider its impact on the stable release of Debian (i.e. if it's
vulnerable or not). If our system is vulnerable, we work on a fix for
the problem. ..."
The wording is "brought to your attention" and "receive a
notification", but nowhere is there an official "proper procedure"
which requires reporters to obtain a CVE.
Why are you hiding behind a "proper procedure" which doesn't exist -
when this should be really about protecting Debian users from a
security vulnerability?
Max
More information about the Pkg-grass-devel
mailing list