[Pkg-javascript-devel] Bug#1078880: Bug#1078880: gettext.js: CVE-2024-43370
Salvatore Bonaccorso
carnil at debian.org
Tue Aug 20 14:30:30 BST 2024
Hi,
On Tue, Aug 20, 2024 at 05:20:38PM +0400, Yadd wrote:
> On 8/20/24 16:34, Moritz M??hlenhoff wrote:
> > Hi Yadd,
> >
> > > here is a simple patch for this issue
> >
> > The debdiff looks fine, but I don't believe this needs a
> > DSA, can you please submit this for the next point update
> > instead?
>
> Agree, but the bug was tagged as "grave" ;-)
The severity and the no-dsa/dsa decision can be orthogonal in the
following sense: Assume an issue is not severe enought to have an
immediate DSA, but a point release is approaching, still the issue
should be made sure to be fixed in the upper suite (considering it
release critical) so we would not start latest trixie with the open
issue.
Having it at RC level ensures this, gives enough grace time (there
won't be an imminent removal anyway) and raises the hint-flag.
I choose such in particular when I see there is the same version
across several releases, and a new upstream version exists to really
make sure we avoid having the issue in the upper suite.
Does this make sense? Or have you issues with the assessment as
'grave' in this case?
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list