[Pkg-javascript-devel] Bug#1078880: Bug#1078880: gettext.js: CVE-2024-43370
Yadd
yadd at debian.org
Tue Aug 20 14:33:49 BST 2024
On 8/20/24 17:30, Salvatore Bonaccorso wrote:
> Hi,
>
> On Tue, Aug 20, 2024 at 05:20:38PM +0400, Yadd wrote:
>> On 8/20/24 16:34, Moritz M??hlenhoff wrote:
>>> Hi Yadd,
>>>
>>>> here is a simple patch for this issue
>>>
>>> The debdiff looks fine, but I don't believe this needs a
>>> DSA, can you please submit this for the next point update
>>> instead?
>>
>> Agree, but the bug was tagged as "grave" ;-)
>
> The severity and the no-dsa/dsa decision can be orthogonal in the
> following sense: Assume an issue is not severe enought to have an
> immediate DSA, but a point release is approaching, still the issue
> should be made sure to be fixed in the upper suite (considering it
> release critical) so we would not start latest trixie with the open
> issue.
>
> Having it at RC level ensures this, gives enough grace time (there
> won't be an imminent removal anyway) and raises the hint-flag.
>
> I choose such in particular when I see there is the same version
> across several releases, and a new upstream version exists to really
> make sure we avoid having the issue in the upper suite.
>
> Does this make sense? Or have you issues with the assessment as
> 'grave' in this case?
No problem, I just filed issues for Bookworm and Bullseye
Cheers,
Xavier
More information about the Pkg-javascript-devel
mailing list