[Pkg-xen-devel] Bug#1021668: Bug#1021668: xen: CVE-2022-33749 CVE-2022-33748 CVE-2022-33747 CVE-2022-33746
Salvatore Bonaccorso
carnil at debian.org
Tue Oct 18 14:36:29 BST 2022
Hi Hans,
On Tue, Oct 18, 2022 at 02:17:32PM +0200, Hans van Kranenburg wrote:
> Hi!
>
> On 10/12/22 19:38, Moritz Mühlenhoff wrote:
> > Source: xen
> > X-Debbugs-CC: team at security.debian.org
> > Severity: important
> > Tags: security
> >
> > Hi,
> >
> > The following vulnerabilities were published for xen.
> >
> > CVE-[...]
> Thanks for the overview. The XAPI one indeed does not apply to src:xen.
>
> I have a question, since the 'bug' report does not contain a question,
> or explicit call for action, and I have not seen it in this way before.
>
> Does explicitly opening a BTS bug mean that, like we use to call it,
> "these CVEs warrant a DSA", and that it is a request for an ASAP package
> update and preparing a security update for stable, or, is this a new
> thing where BTS bugs are opened for packages, just in case the
> maintainer did not already track security issues themselves actively?
Filling a bug or even it's severity may be completely orthogonal to
the question if something warrants a DSA. In fact you will notice
in the security-tracker issues triaged as no-dsa, not warranting a DSA
but which could be fixed in a point release or piggy-backed as well in
a later update filled as bug for tracking as well in the BTS with
severity grave, indicating though that the issue should be assumed RC
and be fixed in testing so that the next stable version will include a
fix.
Filling a bug make sure maintaines are aware of the issues.
Hope this helps,
Regards,
Salvatore
More information about the Pkg-xen-devel
mailing list