Bug#995785: Various vulnerabilities in mapserver

Sebastiaan Couwenberg sebastic at xs4all.nl
Tue Oct 5 20:34:21 BST 2021


On 10/5/21 8:50 PM, Max Kellermann wrote:
> On 2021/10/05 20:38, Sebastiaan Couwenberg <sebastic at xs4all.nl> wrote:
>> Security issues in packages are tracked via CVEs in:
>>
>>  https://security-tracker.debian.org/tracker/
>>
>> Only high severity issues are worth our time to fix in stable. If you
>> don't follow proper procedure and get CVEs for your security issues,
>> they won't get any severity assigned and hence won't get fixed in stable.
> 
> Your stance contradicts with what's documented on
> https://www.debian.org/security/
> 
>  "We handle all security problems brought to our attention and ensure
>  that they are corrected within a reasonable timeframe."
> 
> Nothing about CVE requirement on that page.  Nor here:
> 
>  https://www.debian.org/security/cve-compatibility
> 
> Or here:
> 
>  https://www.debian.org/security/faq#handling
> 
>  "How is security handled in Debian?  Once the security team receives
>  a notification of an incident, one or more members review it and
>  consider its impact on the stable release of Debian (i.e. if it's
>  vulnerable or not). If our system is vulnerable, we work on a fix for
>  the problem.  ..."
> 
> The wording is "brought to your attention" and "receive a
> notification", but nowhere is there an official "proper procedure"
> which requires reporters to obtain a CVE.
> 
> Why are you hiding behind a "proper procedure" which doesn't exist -
> when this should be really about protecting Debian users from a
> security vulnerability?

The severity of your so called security vulnerability is low based on
the discussion in the upstream issue. Our users don't need protection
from that. I do need protection from wasting my time on this issue.

If you want me to take your security issues seriously and spend time on
getting the fixes into Debian, get those issues into security-tracker
which happens automatically for CVEs.

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1



More information about the Pkg-grass-devel mailing list