[Pkg-javascript-devel] Bug#1078880: Bug#1078880: gettext.js: CVE-2024-43370
Salvatore Bonaccorso
carnil at debian.org
Wed Aug 21 07:41:03 BST 2024
Hi Xavier,
On Tue, Aug 20, 2024 at 05:33:49PM +0400, Yadd wrote:
> On 8/20/24 17:30, Salvatore Bonaccorso wrote:
> > Hi,
> >
> > On Tue, Aug 20, 2024 at 05:20:38PM +0400, Yadd wrote:
> > > On 8/20/24 16:34, Moritz M??hlenhoff wrote:
> > > > Hi Yadd,
> > > >
> > > > > here is a simple patch for this issue
> > > >
> > > > The debdiff looks fine, but I don't believe this needs a
> > > > DSA, can you please submit this for the next point update
> > > > instead?
> > >
> > > Agree, but the bug was tagged as "grave" ;-)
> >
> > The severity and the no-dsa/dsa decision can be orthogonal in the
> > following sense: Assume an issue is not severe enought to have an
> > immediate DSA, but a point release is approaching, still the issue
> > should be made sure to be fixed in the upper suite (considering it
> > release critical) so we would not start latest trixie with the open
> > issue.
> >
> > Having it at RC level ensures this, gives enough grace time (there
> > won't be an imminent removal anyway) and raises the hint-flag.
> >
> > I choose such in particular when I see there is the same version
> > across several releases, and a new upstream version exists to really
> > make sure we avoid having the issue in the upper suite.
> >
> > Does this make sense? Or have you issues with the assessment as
> > 'grave' in this case?
>
> No problem, I just filed issues for Bookworm and Bullseye
Thank you!
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list